Dashboards & Visualizations

OS Browser Stats onto a custom dashboard

asarolkar
Builder

I have a savedSearch like this which I want to put up on a dashboard in the form of a pie chart.

sourcetype="access_combined" host="us1-p01" | transaction clientip useragent | stats count as browserHits by useragent

We do not wish to use the web intelligence App !

My problem is that the aforementioned search gives me the results with a (barebones) useragent count only:

"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040416 ipMonitor/10.6"
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html"

I want to be able to display all statistics gathered (see below) in the form of a pie chart:

RECOGNISED BROWSERS
IE 7: 84 (19%)
Chrome: 49 (11%)
Safari: 8 (2%)
Firefox 5: 1 (0%)
Firefox 6: 0 (0%)
Firefox 7: 0 (0%)
Firefox 8: 0 (0%)
Unknown Android Browser: 3 (1%)

I know you can use python scripts , but I guess I am not entirely sure of the specifics of how to go about it ?

As I understand it, its a three step process

i) Write the results of the aforementioned search into a log file

ii) Write a python program ( https://github.com/tobie/ua-parser/blob/master/py/ua_parser/user_agent_parser.py ) to convert user-agents into browsers names that contain the VERSION+OS.

iii) Pipe these stats back to Splunk and put them results on a dashboard.

As it turns out this is much harder than it sounds.

1 Solution

sideview
SplunkTrust
SplunkTrust

I would consider using eventtypes to clean up the raw useragent data.

You can iteratively come up with a set of eventtypes that are non-overlapping, but it will take some work. Note that the webintelligence app might already have them so you might take a look at that app anyway. I know it has pretty nice eventtypes for picking up (and filtering out) bots.

But if you had some eventtypes like "browser-ie7", "browser-ie8", "firefox5", etc...
And you can prove that they're not overlapping by keeping an eye on searches like this:

sourcetype=access_combined | eval browsers=mvfilter(match(eventtype, "^browser-")) | eval matchCount=mvcount(browsers) | where matchCount!="1"

and ideally each event should match one and only one of the 'browser' eventtypes.

Then once you have reliable eventtypes,

sourcetype="access_combined" host="us1-ecojbs-p01" | transaction clientip useragent | eval browser=mvfilter(match(eventtype, "^browser-") | top 20 browser

Or if you prefer using stats even when it's a bit more verbose,

sourcetype="access_combined" host="us1-ecojbs-p01" | transaction clientip useragent | eval browser=mvfilter(match(eventtype, "^browser-") | stats count as browserHits by browser | eventstats sum(count) as total | eval percent=browserHits/total | fields - total

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

I would consider using eventtypes to clean up the raw useragent data.

You can iteratively come up with a set of eventtypes that are non-overlapping, but it will take some work. Note that the webintelligence app might already have them so you might take a look at that app anyway. I know it has pretty nice eventtypes for picking up (and filtering out) bots.

But if you had some eventtypes like "browser-ie7", "browser-ie8", "firefox5", etc...
And you can prove that they're not overlapping by keeping an eye on searches like this:

sourcetype=access_combined | eval browsers=mvfilter(match(eventtype, "^browser-")) | eval matchCount=mvcount(browsers) | where matchCount!="1"

and ideally each event should match one and only one of the 'browser' eventtypes.

Then once you have reliable eventtypes,

sourcetype="access_combined" host="us1-ecojbs-p01" | transaction clientip useragent | eval browser=mvfilter(match(eventtype, "^browser-") | top 20 browser

Or if you prefer using stats even when it's a bit more verbose,

sourcetype="access_combined" host="us1-ecojbs-p01" | transaction clientip useragent | eval browser=mvfilter(match(eventtype, "^browser-") | stats count as browserHits by browser | eventstats sum(count) as total | eval percent=browserHits/total | fields - total

0 Karma

asarolkar
Builder

Are you referring to field extractions ?

I am not sure I follow what an "eventtype" is.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...