Splunk Search

Combine similar events into a single count

Armyeric
Path Finder

I have the search:

index="weblogs" filter_result!="-" useragent="* (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent=" (compatible; MSIE 8.0; )" OR useragent=" (compatible; MSIE 7.0b; )" OR useragent=" (compatible; MSIE 7.0; )" OR useragent=" (compatible; MSIE 6.1; )" OR useragent=" (compatible; MSIE 6.01; )" OR useragent=" (compatible; MSIE 6.0b; ) OR useragent=" (compatible; MSIE 6.0; *)" | top limit=10000 useragent

What I need is to get every event under each useragent string to show up as a combined total for each type (MSIE 10.6) would be the total count of every variation that had MSIE 10.6 in its useragent string...and the same thing for MSIE 10.0, etc, etc, etc.. There will be more browser types in there once I get this working. Ultimately, I am trying to create a pie chart, for a dashboard, that will show all the browser types (or the top 20) that view our sites.

I am not interested in any apps at this time.

Thanks for the help!

Tags (1)
0 Karma

Ayn
Legend

I'm going to go ahead and ignore your statement that you're not interested in apps. User-agent string parsing is a nightmare and if you try to build your own solution you're doomed to spend the next couple of months making constant changes because there's just so many weird variations of what a user-agent string looks like. You really should be using the user agent parser app instead - http://apps.splunk.com/app/1007

All it is is a very very handy lookup that will do all the work for you. But of course, you're still free to take the build-your-own-and-deal-with-months-of-frustration solution 😉

lguinn2
Legend

Also, this app is FREE - it costs you nothing to try it!!

0 Karma

HiroshiSatoh
Champion

Do not easy to write event image input and output?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...