Solved: Extract the User-Agent from HTTP request

ashishmgupta · ‎07-27-2021

Below the excerpt from my HTTP request and I'm trying to get the User-Agent value from it and so far not successful. Will appreciate any help.

This Splunk editor is removing the carriage return and line feed characters so below is the regex101 link.https://regex101.com/r/rdu8yE/1

Also attached is the screenshot of the HTTP request.

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

View solution in original post

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

richgalloway · ‎07-27-2021

Your regex was very close. This worked for me using the one example:

User-Agent: (?<UserAgent>[^\\]*)

---
If this reply helps you, Karma would be appreciated.

ashishmgupta · ‎07-27-2021

Error in 'rex' command: Encountered the following error while compiling the regex 'User-Agent: (?<UserAgent>[^\]*)': Regex: missing terminating ] for character class.

richgalloway · ‎07-27-2021

To use backslashes in a regex in SPL you have to escape them.

User-Agent: (?<UserAgent>[^\\\\\\]*)

Yes, that's 6 backslashes to get two.

---
If this reply helps you, Karma would be appreciated.

Extract the User-Agent from HTTP request

regex

rex

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

Extract the User-Agent from HTTP request

regex

rex

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!