https://community.splunk.com/t5/Splunk-Search/How-can-I-fetch-user-agent-info-and-OS-from-AWS-WAF-logs/m-p/479140#M195671 <P>I tried many ways to fetch the Web Browser, Version and OS info from the below format, i was unable to could you please help me out from this.</P> <P>{"name":"Content-Length","value":"0"},{"name":"user-agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36"},{"name":"accept","value":"image/webp,image/apng,image/<EM>,</EM>/*;q=0.8"}</P> <P>index=xxxx | top http_user_agent</P> <P>gives me the below result</P> <PRE> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 12112 25.350580 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 8433 17.650383 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 3761 7.871824 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362 2263 4.736490 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 1030 2.155804 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363 690 1.444179</PRE> But don't want all the info, i tried rex regen but they didn't work. Wed, 30 Sep 2020 05:04:12 GMT raghu1228 2020-09-30T05:04:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-fetch-user-agent-info-and-OS-from-AWS-WAF-logs/m-p/479140#M195671 <P>I tried many ways to fetch the Web Browser, Version and OS info from the below format, i was unable to could you please help me out from this.</P> <P>{"name":"Content-Length","value":"0"},{"name":"user-agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36"},{"name":"accept","value":"image/webp,image/apng,image/<EM>,</EM>/*;q=0.8"}</P> <P>index=xxxx | top http_user_agent</P> <P>gives me the below result</P> <PRE> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36 12112 25.350580 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 8433 17.650383 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 3761 7.871824 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362 2263 4.736490 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 1030 2.155804 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363 690 1.444179</PRE> But don't want all the info, i tried rex regen but they didn't work. Wed, 30 Sep 2020 05:04:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-fetch-user-agent-info-and-OS-from-AWS-WAF-logs/m-p/479140#M195671 raghu1228 2020-09-30T05:04:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-fetch-user-agent-info-and-OS-from-AWS-WAF-logs/m-p/564903#M196782 <P>How did you get this data from the AWS WAF to extract properly to just output User Agent data? I'm stuck on trying to write regex to extract just the user-agent value in a stats count output...</P> Thu, 26 Aug 2021 15:39:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-fetch-user-agent-info-and-OS-from-AWS-WAF-logs/m-p/564903#M196782 jaxd4mty 2021-08-26T15:39:46Z