Splunk Search

Combine similar events into a single count

Armyeric
Path Finder

I have the search:

index="weblogs" filter_result!="-" useragent="* (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent=" (compatible; MSIE 8.0; )" OR useragent=" (compatible; MSIE 7.0b; )" OR useragent=" (compatible; MSIE 7.0; )" OR useragent=" (compatible; MSIE 6.1; )" OR useragent=" (compatible; MSIE 6.01; )" OR useragent=" (compatible; MSIE 6.0b; ) OR useragent=" (compatible; MSIE 6.0; *)" | top limit=10000 useragent

What I need is to get every event under each useragent string to show up as a combined total for each type (MSIE 10.6) would be the total count of every variation that had MSIE 10.6 in its useragent string...and the same thing for MSIE 10.0, etc, etc, etc.. There will be more browser types in there once I get this working. Ultimately, I am trying to create a pie chart, for a dashboard, that will show all the browser types (or the top 20) that view our sites.

I am not interested in any apps at this time.

Thanks for the help!

Tags (1)
0 Karma

Ayn
Legend

I'm going to go ahead and ignore your statement that you're not interested in apps. User-agent string parsing is a nightmare and if you try to build your own solution you're doomed to spend the next couple of months making constant changes because there's just so many weird variations of what a user-agent string looks like. You really should be using the user agent parser app instead - http://apps.splunk.com/app/1007

All it is is a very very handy lookup that will do all the work for you. But of course, you're still free to take the build-your-own-and-deal-with-months-of-frustration solution 😉

lguinn2
Legend

Also, this app is FREE - it costs you nothing to try it!!

0 Karma

HiroshiSatoh
Champion

Do not easy to write event image input and output?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...