topic Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included? in All Apps and Add-ons

Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

billebel — Tue, 29 Sep 2020 07:16:32 GMT

Having an issue with the field extractions on this one. Hopefully I can explain and someone can help.

There seems to be a problem with the extraction of the http_user_agent extraction. The regex provided in the add-on is expecting the user agent to be enclosed in quotes

\s+\"(?<http_user_agent>[^\"]+)\"\s+

but our logs have instances where a user agent is not present and only a dash is included, causing the field extraction to fail for these events.

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

rphillips_splk — Tue, 15 Sep 2015 22:15:37 GMT

can you provide an example of a log event that includes a user agent and one that does not.

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

billebel — Tue, 29 Sep 2020 07:16:37 GMT

Here is a sample of the two different events.

Without user agent
2015-09-16 14:35:34 1 10.1.1.1 - - - PROXIED "Financial Services" - 0 - GET - http host.domain.com 8080 /accelerated_pac_base.pac - pac - 10.1.1.1 0 109 - "none" "none" - 10.1.1.2 - - - -

With user agent
2015-09-16 14:27:56 2 1.1.1.1 someuser - content_filter_denied DENIED "Black_List_Social_Networking;Client_Facebook;Social Networking;Content Servers" 403 TCP_DENIED GET - https s-static.ak.facebook.com 443 js "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" 10.54.74.201 4815 467 - none - - none *.ak.fbcdn.net "Social Networking" 23.60.114.110 ?version=41 ?version=41 ?version=41 player.performgroup.com

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

rphillips_splk — Tue, 29 Sep 2020 07:16:45 GMT

in this example is "someuser" the http_user_agent you are looking to extract?

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

billebel — Tue, 29 Sep 2020 07:16:48 GMT

No, the with user agent example works fine, but in the example below the hyphen between pac and 10.1.1.1, which is the user agent, doesn't extract.

2015-09-16 14:35:34 1 10.1.1.1 - - - PROXIED "Financial Services" - 0 - GET - http host.domain.com 8080 /accelerated_pac_base.pac - pac - 10.1.1.1 0 109 - "none" "none" - 10.1.1.2 - - - -

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

billebel — Thu, 17 Sep 2015 18:05:19 GMT

OK this seems to extract both cases.

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

jcoates_splunk — Sat, 19 Sep 2015 16:21:23 GMT

thanks, filed a bug for this thread

Re: Splunk Add-on for Blue Coat ProxySG: How to handle failed extraction of http_user_agent where a user agent value is not included?

jcoates_splunk — Fri, 25 Sep 2015 22:19:42 GMT

Version 3.4.0 doesn't have this issue, what version was being used?