Security

browser name extraction from user agent

super_edition
Path Finder

Hello Everyone,

I am trying to extract the unique browser name along with its count from the list of user agents(attached file) which is printed in user_agent field of splunk logs.

 

index=my_index "master" user-agent!="-" user-agent!="DIAGNOSTICS"
| eval browser=case(
searchmatch("*OPR*"),"Opera",
searchmatch("*Edg*"),"Edge",
searchmatch("*Chrome*Mobile*Safari*"),"Chrome",
searchmatch("*firefox*"),"Firefox",
searchmatch("*CriOS*safari"),"Safari")
| stats count as page_hit by browser

 

I am sure the result count is incorrect as I am not covering all the combination of browser string from the attached list.

Appreciate if someone can help me on this.

Many Thanks

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Do something like this to find out which events aren't being counted and adjust your matches accordingly

| eval browser=case(
searchmatch("*OPR*"),"Opera",
searchmatch("*Edg*"),"Edge",
searchmatch("*Chrome*Mobile*Safari*"),"Chrome",
searchmatch("*firefox*"),"Firefox",
searchmatch("*CriOS*safari"),"Safari")
| where isnull(browser)

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is an awful lot of different UAs and they can introduce themselves in many various ways. It's not standardized in any way. So browser detection is more an art than strict science. And it's even before we take into account that people can spoof their UA strings or even set it to any arbitrary value.

There are sites gathering known UA strings though. Like https://explore.whatismybrowser.com/useragents/parse/?analyse-my-user-agent=yes#parse-useragent

BTW, your search is very ineffective.

0 Karma

super_edition
Path Finder

Thanks @PickleRick  for your response.

I am looking to get the count of browsers which are commonly used like chrome, firefox, safari, edge and opera

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do something like this to find out which events aren't being counted and adjust your matches accordingly

| eval browser=case(
searchmatch("*OPR*"),"Opera",
searchmatch("*Edg*"),"Edge",
searchmatch("*Chrome*Mobile*Safari*"),"Chrome",
searchmatch("*firefox*"),"Firefox",
searchmatch("*CriOS*safari"),"Safari")
| where isnull(browser)
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...