It looks like there are a handful of user agents that show up as unknown:
Mozilla/5.0+(iPhone;+CPU+iPhone+OS+7_1_1+like+Mac+OS+X)+AppleWebKit/537.51.2+(KHTML,+like+Gecko)+Mobile/11D201
Mozilla/5.0+(iPad;+CPU+OS+8_4_1+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Mobile/12H321
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.34209
Mozilla/5.0+(iPhone;+CPU+iPhone+OS+8_3+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Mobile/12F70
How do we get these added into the lookup definitions? Manually though the .yaml?
One thing you may want to try doing is removing the "+" symbols from the user-agent string (some of the regexes in the YAML do use spaces). Something like:
eval http_user_agent = replace(http_user_agent,"+"," ")
If that doesn't work, then you may need to edit the regexes. This can be done by editing the regexes.yaml
, but be aware that those changes may be overwritten on an upgrade.
HTH,
Dave
One thing you may want to try doing is removing the "+" symbols from the user-agent string (some of the regexes in the YAML do use spaces). Something like:
eval http_user_agent = replace(http_user_agent,"+"," ")
If that doesn't work, then you may need to edit the regexes. This can be done by editing the regexes.yaml
, but be aware that those changes may be overwritten on an upgrade.
HTH,
Dave
Close - needed the slash:
eval http_user_agent = replace(http_user_agent,"\+"," ")