https://community.splunk.com/t5/All-Apps-and-Add-ons/Extracting-browser-statistics-from-access-logs/m-p/95765#M6563 <P>All:</P> <P>I am trying to chart browsers used by my app based on the "useragent" field from access_combined (apache logs) in this manner. </P> <PRE><CODE>sourcetype="access_combined" useragent!="-" AND useragent!="Apache" AND useragent!="Load-weight" AND useragent!="Java" AND useragent!="Jakarta Commons-HttpClient" | stats count(eval(match(useragent, "Firefox"))) as "Firefox", count(eval(match(useragent, "Chrome"))) as "Chrome", count(eval(match(useragent, "Safari"))) as "Safari", count(eval(match(useragent, "MSIE"))) as "IE", count(eval(NOT match(useragent, "Chrome|Firefox|Safari|MSIE"))) as "Other" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>The problem is that the actual log entry looks like this:</P> <P>For firefox:</P> <PRE><CODE>97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" </CODE></PRE> <P>For IE:</P> <PRE><CODE>97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "MSIE 8.0; Windows NT 5.2; Trident/4.0" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>The useragent entry files these two under OTHER because the ACTUAL VALUE for useragent is :</P> <PRE><CODE>"Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" </CODE></PRE> <P>AND </P> <PRE><CODE>"MSIE 8.0; Windows NT 5.2; Trident/4.0" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>Any ideas on how to go about this ? Maybe regexes ?</P> <P>The problem with using field extractions is that there is no set standard for what a UA (User Agent) string should look like, at all. I wonder what the chrome entry looks like (obviously we have none yet)</P> Wed, 11 Jul 2012 15:59:12 GMT asarolkar 2012-07-11T15:59:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Extracting-browser-statistics-from-access-logs/m-p/95765#M6563 <P>All:</P> <P>I am trying to chart browsers used by my app based on the "useragent" field from access_combined (apache logs) in this manner. </P> <PRE><CODE>sourcetype="access_combined" useragent!="-" AND useragent!="Apache" AND useragent!="Load-weight" AND useragent!="Java" AND useragent!="Jakarta Commons-HttpClient" | stats count(eval(match(useragent, "Firefox"))) as "Firefox", count(eval(match(useragent, "Chrome"))) as "Chrome", count(eval(match(useragent, "Safari"))) as "Safari", count(eval(match(useragent, "MSIE"))) as "IE", count(eval(NOT match(useragent, "Chrome|Firefox|Safari|MSIE"))) as "Other" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>The problem is that the actual log entry looks like this:</P> <P>For firefox:</P> <PRE><CODE>97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" </CODE></PRE> <P>For IE:</P> <PRE><CODE>97.76.108.114 - - [11/Jul/2012:08:36:37 -0700] "POST /forgotPassword HTTP/1.1" 200 3799 "https://www.easycareonline.com/forgotPassword" "MSIE 8.0; Windows NT 5.2; Trident/4.0" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>The useragent entry files these two under OTHER because the ACTUAL VALUE for useragent is :</P> <PRE><CODE>"Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1" </CODE></PRE> <P>AND </P> <PRE><CODE>"MSIE 8.0; Windows NT 5.2; Trident/4.0" </CODE></PRE> <P><BR /><BR /> <BR /></P> <P>Any ideas on how to go about this ? Maybe regexes ?</P> <P>The problem with using field extractions is that there is no set standard for what a UA (User Agent) string should look like, at all. I wonder what the chrome entry looks like (obviously we have none yet)</P> Wed, 11 Jul 2012 15:59:12 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Extracting-browser-statistics-from-access-logs/m-p/95765#M6563 asarolkar 2012-07-11T15:59:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Extracting-browser-statistics-from-access-logs/m-p/95766#M6564 <P>Because there is such a large number of useragents, it may be worth while using a lookup file to determine the browser, periodically refreshing it when you're getting too many "misses".</P> <P>After a bit of a look I stumbled upon this site: <A href="http://browsers.garykeith.com/downloads">http://browsers.garykeith.com/downloads</A>, which has a comprehensive list of user-agents and (with a bit of vi trickery) could easily be converted into a lookup that allows you to determine a users browser make &amp; version from the user agent in the event.</P> <P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 16 Jul 2012 14:55:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Extracting-browser-statistics-from-access-logs/m-p/95766#M6564 rturk 2012-07-16T14:55:54Z