Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I specify a regex in a lookup table to group similar requests into the same output lookup?

xvxt006
Contributor
‎09-16-2013 06:58 PM

Hi,

We would like to create a look up table based on some user agents.

Mozilla/5.0 (compatible; Traverse/0.1; ABC 22175)
Mozilla/5.0 (compatible; Traverse/0.1; ABC 23457)
Mozilla/5.0 (compatible; Capture/0.4; ABC 56439)
Mozilla/5.0 (compatible; Capture/0.2; ABC 98123)

I would like to group similar kind of requests in the look up table and save them into Field XXX.

So field XXX should show
Traverse 2 requests
Catpure 2 requests

So can i specify reg ex in the look up table as there will be multiple patterns which i would like to group them.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-16-2013 09:18 PM

There is an app that provides a dynamic lookup for user agent strings; it is called TA-uas_parser. Download it from

http://apps.splunk.com/app/1007

It's free. The user agent string can be very complex. I don't recommend that you build this yourself.

If you really want to do it youself, you can use wildcards (regular expressions) in the input field of a lookup table.
See How to use wildcards in a lookup table for more info.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-16-2013 09:18 PM

There is an app that provides a dynamic lookup for user agent strings; it is called TA-uas_parser. Download it from

http://apps.splunk.com/app/1007

It's free. The user agent string can be very complex. I don't recommend that you build this yourself.

If you really want to do it youself, you can use wildcards (regular expressions) in the input field of a lookup table.
See How to use wildcards in a lookup table for more info.

Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-18-2013 06:10 PM

i think it is not showing asterisks in the comments

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-18-2013 06:06 PM

Sorry in the csv i have like this.

BOTs useragent
Traverse *Traverse*
Capture *Capture*

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-18-2013 06:05 PM

Hi, i tried the match_type = WILDCARD(useragent) and then i have in the csv file (Look up file).
BOTs useragent
Traverse *Traverse*
Capture *Capture*

But i am not getting them grouped. One thing i want to mention is, i already have BOTs filed which extracts all the legitimate BOTs (which have +http://....). I want to add these others into the same field which does not have standard user agent (+http://.. format).

Do you think it would work that way?

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-17-2013 03:27 PM

Thank you. I will try this.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...