Solved: Re: Extract the User-Agent from HTTP request

ashishmgupta · ‎07-27-2021

Below the excerpt from my HTTP request and I'm trying to get the User-Agent value from it and so far not successful. Will appreciate any help.

This Splunk editor is removing the carriage return and line feed characters so below is the regex101 link.https://regex101.com/r/rdu8yE/1

Also attached is the screenshot of the HTTP request.

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

View solution in original post

ashishmgupta · ‎07-27-2021

looks like 4 backslashes to get two? Below worked. Thank you for your help.

User-Agent: (?<UserAgent>[^\\\\]*)

richgalloway · ‎07-27-2021

Your regex was very close. This worked for me using the one example:

User-Agent: (?<UserAgent>[^\\]*)

---
If this reply helps you, Karma would be appreciated.

ashishmgupta · ‎07-27-2021

Error in 'rex' command: Encountered the following error while compiling the regex 'User-Agent: (?<UserAgent>[^\]*)': Regex: missing terminating ] for character class.

richgalloway · ‎07-27-2021

To use backslashes in a regex in SPL you have to escape them.

User-Agent: (?<UserAgent>[^\\\\\\]*)

Yes, that's 6 backslashes to get two.

---
If this reply helps you, Karma would be appreciated.

Extract the User-Agent from HTTP request

regex

rex

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)