https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685059#M233785 <P>Hello,</P><P>I have this search for tabular format.</P><P>&nbsp;</P><LI-CODE lang="markup">index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId as "Verification ID", code as "HRC" | sort -_time</LI-CODE><P>&nbsp;</P><P>The issue is at BROWSER column where even when user access our app via Edge it still shows as Chrome. I found a dissimilarity between the two logs. One that is accessed via Edge contains "Edg" in the logs.</P><P>Edge logs</P><P>&nbsp;</P><LI-CODE lang="markup">metadata={BROWSER=Chrome, LOCALE=, OS=Windows, USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx Edg/124.0.0.0, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})</LI-CODE><P>&nbsp;</P><P>Chrome logs</P><P>&nbsp;</P><LI-CODE lang="markup">metadata={BROWSER=Chrome, LOCALE=, OS=Mac OS X, USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})</LI-CODE><P>&nbsp;</P><P>My question is, how do i create a conditional search for BROWSER like if contains Edg then Edge else BROWSER?</P> Tue, 23 Apr 2024 01:37:35 GMT mursidehsani 2024-04-23T01:37:35Z https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685059#M233785 <P>Hello,</P><P>I have this search for tabular format.</P><P>&nbsp;</P><LI-CODE lang="markup">index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId as "Verification ID", code as "HRC" | sort -_time</LI-CODE><P>&nbsp;</P><P>The issue is at BROWSER column where even when user access our app via Edge it still shows as Chrome. I found a dissimilarity between the two logs. One that is accessed via Edge contains "Edg" in the logs.</P><P>Edge logs</P><P>&nbsp;</P><LI-CODE lang="markup">metadata={BROWSER=Chrome, LOCALE=, OS=Windows, USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx Edg/124.0.0.0, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})</LI-CODE><P>&nbsp;</P><P>Chrome logs</P><P>&nbsp;</P><LI-CODE lang="markup">metadata={BROWSER=Chrome, LOCALE=, OS=Mac OS X, USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})</LI-CODE><P>&nbsp;</P><P>My question is, how do i create a conditional search for BROWSER like if contains Edg then Edge else BROWSER?</P> Tue, 23 Apr 2024 01:37:35 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685059#M233785 mursidehsani 2024-04-23T01:37:35Z https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685062#M233787 <P>Without knowing a bit more about your data and extracted fields, you could do something like this</P><P>&nbsp;</P><LI-CODE lang="markup">| eval BROWSER=if(BROWSER="Chrome" AND match(_raw, " Edg\/"), "Edge", BROWSER)</LI-CODE><P>&nbsp;</P> Tue, 23 Apr 2024 02:27:42 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685062#M233787 bowesmana 2024-04-23T02:27:42Z https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685063#M233788 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;</P><P>Your solution hit the spot! Thank you so much <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 23 Apr 2024 02:30:49 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Search/m-p/685063#M233788 mursidehsani 2024-04-23T02:30:49Z