https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/598767#M49113 <P>I have a search being used in a dashboard (note the use of XML encoding for &lt; and &gt; symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo sourcetype=bar source=*widget.log* http.agent | rex field=http_user_agent "(?&amp;lt;useragent&amp;gt;\S+)\s+\((?&amp;lt;deviceType&amp;gt;[A-Za-z0-9 .]+); (?&amp;lt;OSinfo&amp;gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&amp;lt;extensions&amp;gt;.+)" | eval browserType = if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER"))))))))))))))))) | eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER")))))))))))))) | eval browserDevice = browserType . ":" . deviceType | stats count as Events by browserDevice | sort - Events</LI-CODE><P>&nbsp;</P><P>(side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search).</P><P>I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results.</P><P>The table results should show the count and the percentage share; how would I accomplish this ask?</P><P>&nbsp;</P> Sat, 21 May 2022 17:00:49 GMT beetlegeuse 2022-05-21T17:00:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/598767#M49113 <P>I have a search being used in a dashboard (note the use of XML encoding for &lt; and &gt; symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo sourcetype=bar source=*widget.log* http.agent | rex field=http_user_agent "(?&amp;lt;useragent&amp;gt;\S+)\s+\((?&amp;lt;deviceType&amp;gt;[A-Za-z0-9 .]+); (?&amp;lt;OSinfo&amp;gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&amp;lt;extensions&amp;gt;.+)" | eval browserType = if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER"))))))))))))))))) | eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER")))))))))))))) | eval browserDevice = browserType . ":" . deviceType | stats count as Events by browserDevice | sort - Events</LI-CODE><P>&nbsp;</P><P>(side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search).</P><P>I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results.</P><P>The table results should show the count and the percentage share; how would I accomplish this ask?</P><P>&nbsp;</P> Sat, 21 May 2022 17:00:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/598767#M49113 beetlegeuse 2022-05-21T17:00:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/598768#M49114 <P>&nbsp;</P><LI-CODE lang="markup">| eventstats sum(Events) as allEvents | where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc</LI-CODE><P>&nbsp;</P> Sat, 21 May 2022 17:30:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/598768#M49114 ITWhisperer 2022-05-21T17:30:19Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/599277#M49155 <P>Thank you! I used&nbsp;</P><LI-CODE lang="markup">| where browserDevice = "Safari:MacOS" OR like(browserDevice, "%iPhone%") OR like(browserDevice, "%iPad%")</LI-CODE><P>to address all the various iPhone/iPad permutations.&nbsp;</P> Wed, 25 May 2022 12:18:23 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-isolate-specific-results-in-table-output/m-p/599277#M49155 beetlegeuse 2022-05-25T12:18:23Z