Solved: Browser type Display issues with Useragent

puneetkharband1 · ‎05-11-2015

I have a query which is giving me different types of browser stats but when I try to display that in a pie chart it shows only one of those browsers as overall

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | sort by User_Agent

If I display using Bar chart it shows firefox/firefox firefox chrome, firefox IE so on
if I display using Pie chart it shows only first of the browser matched

Please let me knw what is the best possible way to display the browsers.

ramdaspr · ‎05-11-2015

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

View solution in original post

ramdaspr · ‎05-11-2015

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

cangur · ‎08-22-2020

When i use this to my splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0

Why is that? please guide me thanks

index=apache hostdomain=sube.garantibbva.com.tr (uri="/isube/login/pinverify*" OR uri="/isube/login/login/smspinverify*" OR uri="/isube/login/mobiletokenverify*") | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

justdan23 · ‎09-30-2019

I like this as a simple, basic check to identify the Browser Type without too much complexity.

Ideally, it would be nice to parse out specifics, but starting with something basic does answer the mail on this question.

Browser type Display issues with Useragent

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!