Dashboards & Visualizations

How to isolate specific results in table output?

beetlegeuse
Path Finder

I have a search being used in a dashboard (note the use of XML encoding for < and > symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:

 

index=foo sourcetype=bar source=*widget.log* http.agent 
| rex field=http_user_agent "(?&lt;useragent&gt;\S+)\s+\((?&lt;deviceType&gt;[A-Za-z0-9 .]+); (?&lt;OSinfo&gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&lt;extensions&gt;.+)" 
| eval browserType =  if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER")))))))))))))))))
| eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER"))))))))))))))
| eval browserDevice = browserType . ":" . deviceType
| stats count as Events by browserDevice | sort - Events

 

(side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search).

I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results.

The table results should show the count and the percentage share; how would I accomplish this ask?

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

0 Karma

beetlegeuse
Path Finder

Thank you! I used 

| where browserDevice = "Safari:MacOS" OR like(browserDevice, "%iPhone%") OR like(browserDevice, "%iPad%")

to address all the various iPhone/iPad permutations. 

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...