Solved: Extract the User-Agent from HTTP request

ashishmgupta · ‎07-27-2021

Below the excerpt from my HTTP request and I'm trying to get the User-Agent value from it and so far not successful. Will appreciate any help.

This Splunk editor is removing the carriage return and line feed characters so below is the regex101 link.https://regex101.com/r/rdu8yE/1

Also attached is the screenshot of the HTTP request.

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

View solution in original post

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

richgalloway · ‎07-27-2021

Your regex was very close. This worked for me using the one example:

User-Agent: (?<UserAgent>[^\\]*)

---
If this reply helps you, Karma would be appreciated.

ashishmgupta · ‎07-27-2021

Error in 'rex' command: Encountered the following error while compiling the regex 'User-Agent: (?<UserAgent>[^\]*)': Regex: missing terminating ] for character class.

richgalloway · ‎07-27-2021

To use backslashes in a regex in SPL you have to escape them.

User-Agent: (?<UserAgent>[^\\\\\\]*)

Yes, that's 6 backslashes to get two.

---
If this reply helps you, Karma would be appreciated.

Extract the User-Agent from HTTP request

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation