In my IIS logs i am trying to extract the OS and browser versions from the csUSerAgent field. I know the csuseragent field is complex and confusing but is there an easy way to just extract those two values from this field?
These are two examples of the results I get from the csUserAgent field.
You can look around on the Internet for "IIS detect browser from user agent". You will get over a million hits, but I doubt that you will find an easy answer.
I would set up a lookup table that uses wildcards to determine the browser and OS based on user agent.
The table could look like this:
user_agent,browser,browser_version,OS "Mozilla/4.0 (*; MSIE 6.0; Windows*",Internet Explorer,6.0,Windows "Mozilla/5.0 (Windows;*Firefox/220.127.116.11",Firefox,2.0,Windows "Mozilla/5.0 (Macintosh; *Chrome/5.0.375.38 Safari/533.4",Safari,5.0,Mac "Opera/9.01 (Windows *",Opera,9.01,Windows "Opera/9.20 (Windows *",Opera,9.2,Windows "Mozilla/4.0 (*MSIE 7.0; Windows*",Internet Explorer,7.0,Windows
[yourlookupname] match_type=WILDCARD(user_agent) default_match = Not found filename = browser_lookup.csv max_matches = 1 min_matches = 1 case_sensitive_match = false
Put as many lines in your table as you can. When you run your reports in Splunk, the lookup will return "Not Found" for the browser and OS if the user-agent isn't in the table. When you find one of those, you can add it to the table.
Even this solution is not perfect, as the authors of a browser can emit any user-agent string that they want. So multiple browsers can (and do) emit the same user-agent string.