Security

Browser type Display issues with Useragent

puneetkharband1
Path Finder

I have a query which is giving me different types of browser stats but when I try to display that in a pie chart it shows only one of those browsers as overall

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | sort by User_Agent

If I display using Bar chart it shows firefox/firefox firefox chrome, firefox IE so on
if I display using Pie chart it shows only first of the browser matched

Please let me knw what is the best possible way to display the browsers.

1 Solution

ramdaspr
Contributor

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

View solution in original post

ramdaspr
Contributor

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

cangur
New Member

When i use this to my splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0

Why is that? please guide me thanks 

 

index=apache hostdomain=sube.garantibbva.com.tr (uri="/isube/login/pinverify*" OR uri="/isube/login/login/smspinverify*" OR uri="/isube/login/mobiletokenverify*") | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

 

Tags (1)
0 Karma

justdan23
Path Finder

I like this as a simple, basic check to identify the Browser Type without too much complexity.

Ideally, it would be nice to parse out specifics, but starting with something basic does answer the mail on this question.

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...