Splunk Search

Combine similar events into a single count

Armyeric
Path Finder

I have the search:

index="weblogs" filter_result!="-" useragent="* (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent=" (compatible; MSIE 8.0; )" OR useragent=" (compatible; MSIE 7.0b; )" OR useragent=" (compatible; MSIE 7.0; )" OR useragent=" (compatible; MSIE 6.1; )" OR useragent=" (compatible; MSIE 6.01; )" OR useragent=" (compatible; MSIE 6.0b; ) OR useragent=" (compatible; MSIE 6.0; *)" | top limit=10000 useragent

What I need is to get every event under each useragent string to show up as a combined total for each type (MSIE 10.6) would be the total count of every variation that had MSIE 10.6 in its useragent string...and the same thing for MSIE 10.0, etc, etc, etc.. There will be more browser types in there once I get this working. Ultimately, I am trying to create a pie chart, for a dashboard, that will show all the browser types (or the top 20) that view our sites.

I am not interested in any apps at this time.

Thanks for the help!

Tags (1)
0 Karma

Ayn
Legend

I'm going to go ahead and ignore your statement that you're not interested in apps. User-agent string parsing is a nightmare and if you try to build your own solution you're doomed to spend the next couple of months making constant changes because there's just so many weird variations of what a user-agent string looks like. You really should be using the user agent parser app instead - http://apps.splunk.com/app/1007

All it is is a very very handy lookup that will do all the work for you. But of course, you're still free to take the build-your-own-and-deal-with-months-of-frustration solution 😉

lguinn2
Legend

Also, this app is FREE - it costs you nothing to try it!!

0 Karma

HiroshiSatoh
Champion

Do not easy to write event image input and output?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...