Dashboards & Visualizations

How to isolate specific results in table output?

beetlegeuse
Path Finder

I have a search being used in a dashboard (note the use of XML encoding for < and > symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:

 

index=foo sourcetype=bar source=*widget.log* http.agent 
| rex field=http_user_agent "(?&lt;useragent&gt;\S+)\s+\((?&lt;deviceType&gt;[A-Za-z0-9 .]+); (?&lt;OSinfo&gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&lt;extensions&gt;.+)" 
| eval browserType =  if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER")))))))))))))))))
| eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER"))))))))))))))
| eval browserDevice = browserType . ":" . deviceType
| stats count as Events by browserDevice | sort - Events

 

(side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search).

I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results.

The table results should show the count and the percentage share; how would I accomplish this ask?

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

0 Karma

beetlegeuse
Path Finder

Thank you! I used 

| where browserDevice = "Safari:MacOS" OR like(browserDevice, "%iPhone%") OR like(browserDevice, "%iPad%")

to address all the various iPhone/iPad permutations. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...