topic Re: How to split user agent details in Splunk Search

How to split user agent details

jaibalaraman — Thu, 15 Oct 2020 03:18:11 GMT

I am new to splunk, and I need some help with SPL query to execute the below user agent

Log File -

" Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-J330G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/12.1 Chrome/79.0.3945.136 Mobile Safari/537.36

Expecting output -

Operating System	Mobile Device Info	Device Model	Browser	Browser version
Android / IOS	Samsung/ Iphone	Sm -J330G / I phone SE	Chrome / Mozilla	79.0.3945

Thanks

Re: How to split user agent details

ITWhisperer — Thu, 15 Oct 2020 06:47:40 GMT

Can you provide more examples, preferably in a code block </>, so we can see the correct formatting. User agent information varies quite a lot depending on device used.

Re: How to split user agent details

jaibalaraman — Wed, 21 Oct 2020 21:01:38 GMT

I am sorry , i am new to splunk. If you can guide how do I get the requested detail in code block.

Re: How to split user agent details

ITWhisperer — Wed, 21 Oct 2020 21:55:16 GMT

When you reply, open a code block with this symbol

and paste some same events so we can see exactly what the events look like

Re: How to split user agent details

jaibalaraman — Wed, 21 Oct 2020 22:08:04 GMT

Log File -

" Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-J330G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/12.1 Chrome/79.0.3945.136 Mobile Safari/537.36

Re: How to split user agent details

ITWhisperer — Wed, 21 Oct 2020 22:14:03 GMT

Please can you provide more examples, with different operating systems, mobile device infos, device models, browsers, browser versions, etc

" Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-J330G) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/12.1 Chrome/79.0.3945.136 Mobile Safari/537.36

Re: How to split user agent details

jaibalaraman — Wed, 21 Oct 2020 22:21:43 GMT

Mozilla/5.0 (Linux; Android 5.1; HUAWEI LYO-L02) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.101 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 10; SAMSUNG SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/12.1 Chrome/79.0.3945.136 Mobile Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 (Applebot/0.1; +http://www.apple.com/go/applebot)

Mozilla/5.0 (Linux; U; Android 8.1.0; zh-cn; OPPO R11s Build/OPM1.171019.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.80 Mobile Safari/537.36 HeyTapBrowser/10.7.5.5

Re: How to split user agent details

ITWhisperer — Wed, 21 Oct 2020 23:07:04 GMT

You could start with this

rex field=useragentdetails "(?<useragent>\S+)\s+\((?<OSinfo>[^\)]+)\)\s+(?<platform>\S+)\s+\((?<platformdetails>[^\)]+)\)\s+(?<extensions>.+)"

You could then use rex or split to separate the different parts of the OSinfo and extensions to extract the information you feel is important.

Re: How to split user agent details

jaibalaraman — Wed, 21 Oct 2020 23:12:42 GMT

Thanks for the information

I tried searching the below query , " no result found". However I am not sure am I doing it correctly.

Could you please guide me on this

rex field=useragentdetails "(?<useragent>\S+)\s+\((?<OSinfo>[^\)]+)\)\s+(?<platform>\S+)\s+\((?<platformdetails>[^\)]+)\)\s+(?<extensions>.+)"

Re: How to split user agent details

jaibalaraman — Wed, 21 Oct 2020 23:19:03 GMT

Sorry I managed to run rex spl query , please ignore my previous message .

Could you please guide me what spl command i should use to get as dashboard panel or visualization.

Thanks

Re: How to split user agent details

ITWhisperer — Thu, 22 Oct 2020 07:11:50 GMT

The rex specifies a field to operate on - I assumed you had already extracted this (and called it useragentdetails. If it has been extracted to a different field then use that instead. Having said that, the event shown in your latest screenshot does not include any of the data you are interested in. Do you have any events that do? Can you paste them into a code block so we can see what you are dealing with?

Re: How to split user agent details

kennetkline — Thu, 22 Oct 2020 21:15:07 GMT

based on your second post looks like you got results

get a stats table as desired

your search with| rex |table useragent, OSinfo, platform, platformdetails, extensions

Right above Search; You can "save as" your search as a report or a "dashboard panel". as a "statistics table"