Key value pair... in a key value pair

adepasquale · ‎11-05-2020

Assume I have this key value pair in splunk

uri_query=“client=safari&source=hp&ei=5k-kX56GMdGpytMPu7asyA0&q=random+search&oq=random+search&gs_lcp=ChFtb2JpbGUtZ3dzLXdpei1ocBADMgUIABDJAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAA6CAgAELEDEIMBOgIILjoICC4QsQMQgwE6BQguELEDOgUIABCxAzoICAAQsQMQyQM6BAgAEApQ1xNY6yNg-iVoAHAAeACAAUKIAY8GkgECMTOYAQCgAQGwAQA&sclient=mobile-gws-wiz-hp”

the uri parameters could be in any order. If I want to search for a specific value I’m forced to do something like

| search uri_query=“*sclient=mobile-gws-wiz-hp*”

this is very slow for obvious reasons

if I run

| search sclient=mobile-gws-wiz-hp

This is very fast, but includes results where this value might be in the refer field rather than the uri_query field.

is there a better way to do these needle in a haystack searches?

richgalloway · ‎11-05-2020

Here's a kludgy, untested way to parse the uri_query field.

... | eval oldraw=_raw
| eval _raw=uri_query
| extract pairdelim="&" kvdelim="="
| eval _raw=oldraw
| search sclient="mobile-gws-wiz-hp"
...

---
If this reply helps you, Karma would be appreciated.

Key value pair... in a key value pair

field extraction

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Key value pair... in a key value pair

field extraction

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+