Solved: google and bing keyword

NauticaTQP · ‎11-05-2020

I am seeking to get a list of the user typed keyword searches from the proxy activity. Below is what i got but those seem to be the referred or suggested keyword which can be deceitful and false positive.

index=main user_id=splunky AND x_webcat_code_full!="Advertisements" | fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id, x_webcat_code_full

| rex field=dest_url "\?q\=(?<search_term>[^&]+)\&"

| stats values(search_term)

something that strip out the link below and just providing me just "hp elitebook 840 g3" if that make sense?

https://www.google.com:443/search?ei=TO-WX_zcF5mDtQbczYCIBg&q=hp+elitebook+840+g3+drivers&oq=hp+elit...

richgalloway · ‎11-05-2020

The regex in your query doesn't quite match the sample data. Try this one

\Wq=(?<search_term>[^&]+)&

---
If this reply helps you, Karma would be appreciated.

View solution in original post

NauticaTQP · ‎11-05-2020

complete! thank you Richgalloway

dest_domain="google.com" index=main user_id=splunky AND x_webcat_code_full!="Advertisements"

| fields _time, bytes_in, bytes_out, dest_domain, dest_url, dvc_ip, user_id,x_webcat_code_full
| rex field=dest_url "\Wq=(?<search_term>[^&]+)&"
| stats values(search_term)

richgalloway · ‎11-05-2020

The regex in your query doesn't quite match the sample data. Try this one

\Wq=(?<search_term>[^&]+)&

---
If this reply helps you, Karma would be appreciated.

google and bing keyword

lookup

other

regex

rex

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!