topic Re: Syslog extract browser type field in Getting Data In

Syslog extract browser type field

imorales — Tue, 27 May 2014 08:07:07 GMT

Hello,

I would like to extract the browser type string to some fields from Netscaler VPX syslog. Splunk doesn´t extract this user_agent field automatically. I have tried some reg expressions but no luck. Splunk receives this data events:

Vserver 172.128.4.4:443 - Browser_type "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" - SSLVPN_client_type Clientless

Vserver 172.128.4.4:443 - Browser_type "Mozilla/5.0 (Linux; U; Android 2.3.5; es-es; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobi" - SSLVPN_client_type Clientless

How can I extract this client information to these fields:

 - os_company: The OS vendor
 - os_family: The OS family
 - os_name: The name of the OS
 - ua_build_version: The build version of the browser
 - ua_company: The user-agent vendor
 - ua_family: The user-agent family (Firefox, Safari, IE, etc.)
 - ua_major_version: Major version of the user agent
 - ua_minor_version: Minor version of the user agent
 - ua_name: Full name of the user agent

Re: Syslog extract browser type field

somesoni2 — Tue, 27 May 2014 14:11:52 GMT

Can you post the expected values (based on your example) for these fields?

Re: Syslog extract browser type field

amitkr0201 — Mon, 23 Jun 2014 11:16:08 GMT

You can solve your problem in two step process:

1. Extract full user agent. A simple rex command or an entry in props.conf will do. Something similar to "\"(?P<UserAgent>[^\"]+)\"".

2. Use a python script to extract detailed data from user agent string. An example of such script: https://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py

Keep in mind that the python script linked might not be up to date and you might need to make additions to it for newer browsers/OS etc.