Solved: google and bing keyword

NauticaTQP · ‎11-05-2020

I am seeking to get a list of the user typed keyword searches from the proxy activity. Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false positive.

index=main user_id=splunky AND x_webcat_code_full!="Advertisements" | fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id, x_webcat_code_full

| rex field=dest_url "\?q\=(?<search_term>[^&]+)\&"

| stats values(search_term)

something that strip out the link below and just providing me just "hp elitebook 840 g3" if that make sense?

https://www.google.com:443/search?ei=TO-WX_zcF5mDtQbczYCIBg&q=hp+elitebook+840+g3+drivers&oq=hp+elit...

richgalloway · ‎11-05-2020

The regex in your query doesn't quite match the sample data. Try this one

\Wq=(?<search_term>[^&]+)&

---
If this reply helps you, Karma would be appreciated.

View solution in original post

NauticaTQP · ‎11-05-2020

complete! thank you Richgalloway

dest_domain="google.com" index=main user_id=splunky AND x_webcat_code_full!="Advertisements"

| fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id,x_webcat_code_full
| rex field=dest_url "\Wq=(?<search_term>[^&]+)&"
| stats values(search_term)

richgalloway · ‎11-05-2020

The regex in your query doesn't quite match the sample data. Try this one

\Wq=(?<search_term>[^&]+)&

---
If this reply helps you, Karma would be appreciated.

google and bing keyword

lookup

regex

rex

stats

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation