Solved: Re: How to write regex to extract Bing and Yahoo s...

ThomasLeroy · ‎08-27-2014

Hello,

I would like to extract bing and yahoo search from my proxySG logs.

i have this for yahoo search search yahoo 443 /search ?p=splunk&ei=UTF-8&fr=moz35 .
i use this regex to get the search p=(?

[^&]+)

and i have this for bing www bing com/ search?q=splunk&qs=n&form=QBRE

Splunk always put the two in the same fields
is there a way to make a difference between yahoo and bing search ?

Thank you

MuS · ‎08-27-2014

Hi ThomasLeroy,

based on your provided data, try this:

your base search here 
| rex "yahoo.+\?p\=(?<YahooSearch>[^&]+)|bing.+\?q\=(?<BingSearch>[^&]+)" 
| table YahooSearch BingSearch

hope this helps to get you started ...

cheers, MuS

MuS · ‎08-27-2014

Hi ThomasLeroy,

based on your provided data, try this:

your base search here 
| rex "yahoo.+\?p\=(?<YahooSearch>[^&]+)|bing.+\?q\=(?<BingSearch>[^&]+)" 
| table YahooSearch BingSearch

hope this helps to get you started ...

cheers, MuS

MuS · ‎08-27-2014

you're welcome

ThomasLeroy · ‎08-27-2014

work as expected

Thank !

How to write regex to extract Bing and Yahoo search from proxySG logs?