Splunk Search

google and bing keyword

NauticaTQP
Engager

I am seeking to get a list of the user typed keyword searches from the proxy activity.  Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false positive.

index=main user_id=splunky AND x_webcat_code_full!="Advertisements" | fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id, x_webcat_code_full

 

| rex field=dest_url "\?q\=(?<search_term>[^&]+)\&"

| stats values(search_term)

 

something that strip out the link below and just providing me just "hp elitebook 840 g3" if that make sense?

 

https://www.google.com:443/search?ei=TO-WX_zcF5mDtQbczYCIBg&q=hp+elitebook+840+g3+drivers&oq=hp+elit...

Labels (5)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The regex in your query doesn't quite match the sample data.  Try this one

\Wq=(?<search_term>[^&]+)&
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

NauticaTQP
Engager

complete! thank you Richgalloway

dest_domain="google.com" index=main user_id=splunky AND x_webcat_code_full!="Advertisements"

| fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id,x_webcat_code_full
| rex field=dest_url "\Wq=(?<search_term>[^&]+)&"
| stats values(search_term)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex in your query doesn't quite match the sample data.  Try this one

\Wq=(?<search_term>[^&]+)&
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.