Solved: Getting information adjacent to a match.

jsven7 · ‎10-21-2015

Hello

Data example:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MDDRJS)

I have to interpret the above MSIE 9.0 as IE 9. So far I've been able to find "MSIE" with this search:

| eval Browser=if(match(User_Agent,"(?i)MSIE"),"IE",User_Agent)

How do I extract only the "9.0" next to MSIE?

woodcock · ‎10-21-2015

Assuming that you have another field which contains the information, such as UA_Versoin, like this:

| eval Browser=if(match(User_Agent,"(?i)MSIE"),"IE",User_Agent . " " . UA_Version)

View solution in original post

woodcock · ‎10-21-2015

Assuming that you have another field which contains the information, such as UA_Versoin, like this:

| eval Browser=if(match(User_Agent,"(?i)MSIE"),"IE",User_Agent . " " . UA_Version)

jsven7 · ‎10-21-2015

Oh a concatenation that's great! Now in order to put the version into the field UA_Version, how do I perform more than one action within the if statement when it is true? That way I can split the UA_Version within the same if statement.

woodcock · ‎10-21-2015

You can have multiple clauses like this;

if((((THIS) AND(THAT)) OR (SOMETHING)), "TrueText", "FalseText")

jsven7 · ‎10-21-2015

I love you. Thank you sir.

Getting information adjacent to a match.

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!