Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine similar events into a single count

Armyeric
Path Finder
‎08-20-2013 05:58 PM

I have the search:

index="weblogs" filter_result!="-" useragent="* (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent=" (compatible; MSIE 8.0; )" OR useragent=" (compatible; MSIE 7.0b; )" OR useragent=" (compatible; MSIE 7.0; )" OR useragent=" (compatible; MSIE 6.1; )" OR useragent=" (compatible; MSIE 6.01; )" OR useragent=" (compatible; MSIE 6.0b; ) OR useragent=" (compatible; MSIE 6.0; *)" | top limit=10000 useragent

What I need is to get every event under each useragent string to show up as a combined total for each type (MSIE 10.6) would be the total count of every variation that had MSIE 10.6 in its useragent string...and the same thing for MSIE 10.0, etc, etc, etc.. There will be more browser types in there once I get this working. Ultimately, I am trying to create a pie chart, for a dashboard, that will show all the browser types (or the top 20) that view our sites.

I am not interested in any apps at this time.

Thanks for the help!

Tags (1)
0 Karma
Reply

Ayn
Legend
‎08-20-2013 11:15 PM

I'm going to go ahead and ignore your statement that you're not interested in apps. User-agent string parsing is a nightmare and if you try to build your own solution you're doomed to spend the next couple of months making constant changes because there's just so many weird variations of what a user-agent string looks like. You really should be using the user agent parser app instead - http://apps.splunk.com/app/1007

All it is is a very very handy lookup that will do all the work for you. But of course, you're still free to take the build-your-own-and-deal-with-months-of-frustration solution 😉

Reply

lguinn2
Legend
‎08-21-2013 01:03 AM

Also, this app is FREE - it costs you nothing to try it!!

0 Karma
Reply

HiroshiSatoh
Champion
‎08-20-2013 06:32 PM

Do not easy to write event image input and output?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...