https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69238#M10321 <P>Dave, </P> <P>i tried sourcetype=access_combined_wcookie | lookup uas_lookup http_user_agent and i see the events but when i added sourcetype=access_combined_wcookie | lookup uas_lookup http_user_agent | stats count by ua_family i am not getting any results (even though it has matching events). our user agent field name is useragent. Do i need to change anything in the lookup table to match our field names, etc?</P> Mon, 28 Sep 2020 16:13:22 GMT xvxt006 2020-09-28T16:13:22Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69231#M10314 <P>Hi, we have a filed User_Agent which gets the user agents distribution. But what i would like to get it by browser family instead of showing by version. <BR /> Meaning right now the output is </P> <P>S.No User Agent Count Percentage </P> <P>1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8; .NET4.0C; .NET4.0E) 26513 8.818970<BR /> 2 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 16544 5.503000<BR /> 3 - 16041 5.335688<BR /> 4 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; CWADS32; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E) 15727 5.231243<BR /> 5 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 10227 3.401788<BR /> 6 Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 6462 2.149443<BR /> 7 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; CWADS32; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E) 5867 1.951529<BR /> 8 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 5464 1.817480<BR /> 9 Mozilla/5.0 (compatible; Googlebot/2.1; +<A href="http://www.google.com/bot.html">http://www.google.com/bot.html</A>) 4655 1.548384<BR /> 10 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 4555 1.515121</P> <P>I want the output to be something like this</P> <P>Browser Requests %<BR /> FireFox 4000 2<BR /> IE 12000 4</P> Wed, 19 Dec 2012 18:05:03 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69231#M10314 xvxt006 2012-12-19T18:05:03Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69232#M10315 <P>Hey xvxt006,</P> <P>Sorry to plug my own stuff, but this may help:<BR /> <A href="http://splunk-base.splunk.com/apps/48017/ta-uas_parser" target="_blank">http://splunk-base.splunk.com/apps/48017/ta-uas_parser</A></P> <P>Put simply, user-agent strings suck, extra parsing is required. This lookup does for you, which should allow you to get the types of stats you are looking for. Something like:</P> <P>index=web_data | lookup uas_lookup http_user_agent | stats count by ua_family</P> <P>HTH,</P> <P>Dave</P> Mon, 28 Sep 2020 12:59:34 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69232#M10315 dshpritz 2020-09-28T12:59:34Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69233#M10316 <P>I suggest that you build a lookup table that contains the following fields:</P> <PRE><CODE>useragent,browser "Mozilla/5.0 (compatible; Googlebot...",Googlebot </CODE></PRE> <P>I didn't put in the full useragent field, as it is pretty long!</P> <P>To figure out what user agents should be in the lookup table, you could run this search</P> <PRE><CODE>sourcetype=whatever | stats count by useragent </CODE></PRE> <P>Export the results and use them to build the .csv file. Read the transforms.conf file section for lookups, and you will find that you can use wildcards in your lookups! This feature is not available from the Splunk Manager UI; you have to edit the transforms.conf file directly.</P> <P>Use the wildcard feature to manage the slight variations in useragents. You will still probably have a lot of entries in your lookup file. Here are some other answers that may help with the lookup:</P> <P><A href="http://splunk-base.splunk.com/answers/52580/can-we-use-wild-characters-in-lookup-table">http://splunk-base.splunk.com/answers/52580/can-we-use-wild-characters-in-lookup-table</A><BR /><BR /> <A href="http://splunk-base.splunk.com/answers/28566/how-to-use-wildcard-in-lookup-based-searches-and-alerts">http://splunk-base.splunk.com/answers/28566/how-to-use-wildcard-in-lookup-based-searches-and-alerts</A> </P> <P>And links to the docs:<BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources">http://docs.splunk.com/Documentation/Splunk/5.0/knowledge/Addfieldsfromexternaldatasources</A><BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/admin/transformsconf">http://docs.splunk.com/Documentation/Splunk/5.0/admin/transformsconf</A></P> <P>Once you have the lookup table in Splunk, and the lookup defined, your search will be easy:</P> <PRE><CODE>sourcetype=whatever | lookup lookup-name useragent OUTPUT browser | top browser </CODE></PRE> Wed, 19 Dec 2012 21:07:32 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69233#M10316 lguinn2 2012-12-19T21:07:32Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69234#M10317 <P>Great. Thank you for both of your answers. I will try these.</P> Thu, 20 Dec 2012 15:29:25 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69234#M10317 xvxt006 2012-12-20T15:29:25Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69235#M10318 <P>Hi Dave, i have asked my admin to install your addon. I think he installed it under search App. But i am not seeing any of the fields that you have mentioned (I have field discover On). How to make sure that we have installed it properly.</P> Mon, 24 Dec 2012 15:57:38 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69235#M10318 xvxt006 2012-12-24T15:57:38Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69236#M10319 <P>Not sure if it is a current problem, but I couldn't run the script... The red error message "Script for lookup table 'uas_lookup' returned error code 1. Results may be incorrect." is displayed after taking a while running... The columns "os_company os_family os_name ua_build_version ua_company ua_family ua_info_url ua_major_version ua_minor_version ua_name ua_type" are displayed, but empty... Any way to verify that?</P> Mon, 28 Sep 2020 16:08:47 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69236#M10319 marcellodesales 2020-09-28T16:08:47Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69237#M10320 <P>Without looking at the data coming into it, it's not really something I can debug off of the top of my head. I haven't gotten other reports of that being a problem.</P> Fri, 14 Mar 2014 20:28:07 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69237#M10320 dshpritz 2014-03-14T20:28:07Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69238#M10321 <P>Dave, </P> <P>i tried sourcetype=access_combined_wcookie | lookup uas_lookup http_user_agent and i see the events but when i added sourcetype=access_combined_wcookie | lookup uas_lookup http_user_agent | stats count by ua_family i am not getting any results (even though it has matching events). our user agent field name is useragent. Do i need to change anything in the lookup table to match our field names, etc?</P> Mon, 28 Sep 2020 16:13:22 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69238#M10321 xvxt006 2020-09-28T16:13:22Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69239#M10322 <P>You will need to rename or copy your field to the http_user_agent field. You can do: </P> <PRE><CODE>index=web | rename useragent AS http_user_agent | lookup_uas http_user_agent </CODE></PRE> <P>or </P> <PRE><CODE>index=web | eval http_user_agent = useragent | lookup_uas http_user_agent </CODE></PRE> Mon, 28 Sep 2020 16:13:43 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69239#M10322 dshpritz 2020-09-28T16:13:43Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69240#M10323 <P>Anyone Help, please. I'm new to Splunk. Anytime I search with the command top, no result is returned. Any help?</P> <P>sourcetype=access_combined_wcookie| top limit=20 url</P> Mon, 28 Sep 2020 16:46:02 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69240#M10323 elesinolalekan 2020-09-28T16:46:02Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69241#M10324 <P>First, what happens if you simply run the base search</P> <P><CODE>sourcetype=access_combined_wcookie</CODE></P> <P>and second, when you look at the results of the base search, is there a field named <CODE>url</CODE>?</P> Fri, 30 May 2014 15:35:23 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69241#M10324 lguinn2 2014-05-30T15:35:23Z https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69242#M10325 <P>Thanks for the prompt reply. The search returns "0 Events Found".<BR /> Yes there is a field named url.</P> <P>Sorry about my late reply</P> Wed, 11 Jun 2014 12:38:29 GMT https://community.splunk.com/t5/Reporting/How-to-get-top-user-agent-distribution/m-p/69242#M10325 elesinolalekan 2014-06-11T12:38:29Z