topic Re: Extract browser type and device from User agent in Splunk Search

Extract browser type and device from User agent

shashank_24 — Sun, 05 Dec 2021 19:23:54 GMT

Hi, I've been reading number of posts about how to extract the OS and browser details but I don't think there is a better or clean way to do this.

I've a similar requirement where in my logs there is a user agent field. Now what I want is to know the browser details along with device like if it's a desktop, mobile etc.

Just posting this to see if anyone has figured out anything on this which can save time writing complex SPLs?

Any help will be appreciated.

Re: Extract browser type and device from User agent

richgalloway — Sun, 05 Dec 2021 20:44:34 GMT

There's an app for that. Check out TA -user-agents at https://splunkbase.splunk.com/app/1843/#/details

Re: Extract browser type and device from User agent

shashank_24 — Mon, 06 Dec 2021 13:14:44 GMT

Hi @richgalloway Thanks for the response. How does this app work? Does it create any extra field in the event?

And is it only compatible with certain format of the events. We have audit logs from ping federate which contains a field called useragent.

Just trying to understand even if i get this app installed, what is the way to extract the required information?

Re: Extract browser type and device from User agent

richgalloway — Mon, 06 Dec 2021 19:06:59 GMT

Sorry, but I don't have any details about the TA. Why not download it to your test system and try it out?

Re: Extract browser type and device from User agent

shashank_24 — Tue, 07 Dec 2021 09:58:00 GMT

@richgalloway yeah. I will need to speak to my Admin for that. Apart from this is there any other way to do this?

For example, extract the information by writing in SPL. I've done something like this but not sure if it is 100% correct -

| eval device = case((useragent LIKE "%Mobile%" OR useragent LIKE "%Mobile%Safari%" OR useragent LIKE "%iPhone%" OR useragent LIKE "Android%Firefox%" OR useragent LIKE "%UCBrowser%" OR useragent LIKE "%IEMobile%" OR useragent LIKE "%Dalvik%Android%" OR useragent LIKE "%Android-STV100%" ), "Mobile Device", useragent LIKE "%Windows NT%", "Windows", useragent LIKE "%Macintosh%", "Macintosh", (useragent LIKE "%Ubuntu%Linux%" OR useragent LIKE "%X11%OpenVAS%"), "Linux", true() ,"others") | eval browser = case(match(useragent,"Firefox"),"FireFox", match(useragent,"Chrome") AND NOT match(useragent,"Edge"),"Chrome", match(useragent,"Safari") AND NOT match(useragent,"Chrome"),"Safari", match(useragent, "MSIE|Trident|Edge"), "IE", NOT match(useragent, "Chrome|Firefox|Safari|MSIE|Trident|Edge"), "OTHERS")

Re: Extract browser type and device from User agent

richgalloway — Tue, 07 Dec 2021 13:39:44 GMT

You have the general idea, however like is a function (used the same way as match) rather than an operator.

| eval device = case((like(useragent, "%Mobile%") OR like(useragent, "%Mobile%Safari%") OR like(useragent, "%iPhone%") OR like(useragent, "Android%Firefox%") OR like(useragent, "%UCBrowser%") OR like(useragent, "%IEMobile%") OR like(useragent, "%Dalvik%Android%") OR like(useragent, "%Android-STV100%") ), "Mobile Device", like(useragent, "%Windows NT%"), "Windows", like(useragent, "%Macintosh%"), "Macintosh", (like(useragent, "%Ubuntu%Linux%") OR like(useragent, "%X11%OpenVAS%")), "Linux", true() ,"others")