Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract browser type and device from User agent

shashank_24
Path Finder
‎12-05-2021 11:23 AM

Hi, I've been reading number of posts about how to extract the OS and browser details but I don't think there is a better or clean way to do this.

I've a similar requirement where in my logs there is a user agent field. Now what I want is to know the browser details along with device like if it's a desktop, mobile etc.

Just posting this to see if anyone has figured out anything on this which can save time writing complex SPLs?

Any help will be appreciated. 

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2021 12:44 PM

There's an app for that.  Check out TA -user-agents at https://splunkbase.splunk.com/app/1843/#/details

---
If this reply helps you, Karma would be appreciated.
Reply

shashank_24
Path Finder
‎12-06-2021 05:14 AM

Hi @richgalloway Thanks for the response. How does this app work? Does it create any extra field in the event?

And is it only compatible with certain format of the events. We have audit logs from ping federate which contains a field called useragent.

Just trying to understand even if i get this app installed, what is the way to extract the required information?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2021 11:06 AM

Sorry, but I don't have any details about the TA.  Why not download it to your test system and try it out?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shashank_24
Path Finder
‎12-07-2021 01:58 AM

@richgalloway yeah. I will need to speak to my Admin for that. Apart from this is there any other way to do this?

For example, extract the information by writing in SPL. I've done something like this but not sure if it is 100% correct -

| eval device = case((useragent LIKE "%Mobile%" OR useragent LIKE "%Mobile%Safari%" OR useragent LIKE "%iPhone%" OR useragent LIKE "Android%Firefox%" OR useragent LIKE "%UCBrowser%" OR useragent LIKE "%IEMobile%" OR useragent LIKE "%Dalvik%Android%" OR useragent LIKE "%Android-STV100%" ), "Mobile Device", useragent LIKE "%Windows NT%", "Windows", useragent LIKE "%Macintosh%", "Macintosh", (useragent LIKE "%Ubuntu%Linux%" OR useragent LIKE "%X11%OpenVAS%"), "Linux", true() ,"others")

| eval browser = case(match(useragent,"Firefox"),"FireFox", match(useragent,"Chrome") AND NOT match(useragent,"Edge"),"Chrome", match(useragent,"Safari") AND NOT match(useragent,"Chrome"),"Safari", match(useragent, "MSIE|Trident|Edge"), "IE", NOT match(useragent, "Chrome|Firefox|Safari|MSIE|Trident|Edge"), "OTHERS")

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2021 05:39 AM

You have the general idea, however like is a function (used the same way as match) rather than an operator.

| eval device = case((like(useragent, "%Mobile%") OR like(useragent, "%Mobile%Safari%") OR like(useragent, "%iPhone%") OR like(useragent, "Android%Firefox%") OR like(useragent, "%UCBrowser%") OR like(useragent, "%IEMobile%") OR like(useragent, "%Dalvik%Android%") OR like(useragent, "%Android-STV100%") ), "Mobile Device", like(useragent, "%Windows NT%"), "Windows", like(useragent, "%Macintosh%"), "Macintosh", (like(useragent, "%Ubuntu%Linux%") OR like(useragent, "%X11%OpenVAS%")), "Linux", true() ,"others")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...