Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine similar events into a single count

Armyeric
Path Finder
‎08-20-2013 05:58 PM

I have the search:

index="weblogs" filter_result!="-" useragent="* (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent=" (compatible; MSIE 8.0; )" OR useragent=" (compatible; MSIE 7.0b; )" OR useragent=" (compatible; MSIE 7.0; )" OR useragent=" (compatible; MSIE 6.1; )" OR useragent=" (compatible; MSIE 6.01; )" OR useragent=" (compatible; MSIE 6.0b; ) OR useragent=" (compatible; MSIE 6.0; *)" | top limit=10000 useragent

What I need is to get every event under each useragent string to show up as a combined total for each type (MSIE 10.6) would be the total count of every variation that had MSIE 10.6 in its useragent string...and the same thing for MSIE 10.0, etc, etc, etc.. There will be more browser types in there once I get this working. Ultimately, I am trying to create a pie chart, for a dashboard, that will show all the browser types (or the top 20) that view our sites.

I am not interested in any apps at this time.

Thanks for the help!

Tags (1)
0 Karma
Reply

Ayn
Legend
‎08-20-2013 11:15 PM

I'm going to go ahead and ignore your statement that you're not interested in apps. User-agent string parsing is a nightmare and if you try to build your own solution you're doomed to spend the next couple of months making constant changes because there's just so many weird variations of what a user-agent string looks like. You really should be using the user agent parser app instead - http://apps.splunk.com/app/1007

All it is is a very very handy lookup that will do all the work for you. But of course, you're still free to take the build-your-own-and-deal-with-months-of-frustration solution 😉

Reply

lguinn2
Legend
‎08-21-2013 01:03 AM

Also, this app is FREE - it costs you nothing to try it!!

0 Karma
Reply

HiroshiSatoh
Champion
‎08-20-2013 06:32 PM

Do not easy to write event image input and output?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...