Splunk Search

google and bing keyword

NauticaTQP
Engager

I am seeking to get a list of the user typed keyword searches from the proxy activity.  Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false positive.

index=main user_id=splunky AND x_webcat_code_full!="Advertisements" | fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id, x_webcat_code_full

 

| rex field=dest_url "\?q\=(?<search_term>[^&]+)\&"

| stats values(search_term)

 

something that strip out the link below and just providing me just "hp elitebook 840 g3" if that make sense?

 

https://www.google.com:443/search?ei=TO-WX_zcF5mDtQbczYCIBg&q=hp+elitebook+840+g3+drivers&oq=hp+elit...

Labels (5)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The regex in your query doesn't quite match the sample data.  Try this one

\Wq=(?<search_term>[^&]+)&
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

NauticaTQP
Engager

complete! thank you Richgalloway

dest_domain="google.com" index=main user_id=splunky AND x_webcat_code_full!="Advertisements"

| fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id,x_webcat_code_full
| rex field=dest_url "\Wq=(?<search_term>[^&]+)&"
| stats values(search_term)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex in your query doesn't quite match the sample data.  Try this one

\Wq=(?<search_term>[^&]+)&
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!