Hello,
I would like to extract the browser type string to some fields from Netscaler VPX syslog. Splunk doesn´t extract this user_agent field automatically. I have tried some reg expressions but no luck. Splunk receives this data events:
Vserver 172.128.4.4:443 - Browser_type "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" - SSLVPN_client_type Clientless
Vserver 172.128.4.4:443 - Browser_type "Mozilla/5.0 (Linux; U; Android 2.3.5; es-es; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobi" - SSLVPN_client_type Clientless
How can I extract this client information to these fields:
- os_company: The OS vendor
- os_family: The OS family
- os_name: The name of the OS
- ua_build_version: The build version of the browser
- ua_company: The user-agent vendor
- ua_family: The user-agent family (Firefox, Safari, IE, etc.)
- ua_major_version: Major version of the user agent
- ua_minor_version: Minor version of the user agent
- ua_name: Full name of the user agent
You can solve your problem in two step process:
1. Extract full user agent. A simple rex command or an entry in props.conf will do. Something similar to "\"(?P<UserAgent>[^\"]+)\"".
2. Use a python script to extract detailed data from user agent string. An example of such script: https://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py
Keep in mind that the python script linked might not be up to date and you might need to make additions to it for newer browsers/OS etc.
Can you post the expected values (based on your example) for these fields?