Finding difficulty in extracting count of browser ...

jaibalaraman · ‎01-27-2021

Hi

I need help in determining the browser that appear in our logs. I believe the simple way to use the app TA - UA parser or an external script but unfortunately i do not have enough access rights to use the tools.

SPL command -

index=aws sourcetype = * Website="*" | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

I tried the above command, it gives all data to "Other". Firefox=0, Chrome=0 IE=0

scelikok · ‎02-08-2021

Hi @jaibalaraman,

Your problem seems that User_Agent field is not exist as it is or there is no event returns from search before stats command.

1. Run below search to see any results?

index=aws sourcetype = * Website="*"

If there is no results, please check if Website and User_Agent fields are correct in Interesting Fields section. You can try again using correct field names. Please keep in mind that the field names are case sensitive.

2. If above returns results, try below;

index=aws sourcetype = * Website="*" User_Agent=*

I think there will be no results, please check if User_Agent field is correct in Interesting Fields section. You can try again using correct field name. Please keep in mind that the field names are case sensitive.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

jaibalaraman · ‎02-01-2021

Hi Splunk team

Please find below image for sample log file

manjunathmeti · ‎01-27-2021

hi, @jaibalaraman,
Regex applied in the match function is case sensitive, try this,

index=aws sourcetype = * Website="*" 
| stats count(eval(match(User_Agent, "(?i)Firefox"))) as "Firefox", count(eval(match(User_Agent, "(?i)Chrome"))) as "Chrome", count(eval(match(User_Agent, "(?i)Safari"))) as "Safari", count(eval(match(User_Agent, "(?i)MSIE"))) as "IE", count(eval(match(User_Agent, "(?i)Trident"))) as "Trident", count(eval(NOT match(User_Agent, "(?i)Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" 
| transpose

If this reply helps you, an upvote/like would be appreciated.

jaibalaraman · ‎01-27-2021

Hi

Yes, i tried the SPL command and still same issue

manjunathmeti · ‎01-27-2021

Can you post some sample data?

jaibalaraman · ‎01-28-2021

Hi,

Sure

manjunathmeti · ‎01-28-2021

I mean sample raw data.

jaibalaraman · ‎02-01-2021

Hi

I am happy to share but unfortunately i don't have access to the log file.

Sorry

Thanks

jaibalaraman · ‎02-08-2021

Hi Team

Can any one help me on this please ??

jaibalaraman · ‎01-27-2021

Please find below image

Finding difficulty in extracting count of browser type from user agent

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation