How to edit my search to categorize User Agent by ...

evanleair · ‎09-20-2016

Hello Splunk Masters,

I'm working on a radial gauge that will show successful IIS requests. I need to be able to build out a search to separate results by either Android or iOS. Here's how an example of how we build out the USER agent:

userAgent = “$a/$b (Linux; Android $c; $d; $e) Mobile App

With Parameters:

• $a = App Name (varies per app)
• $b = App Version
• $c = Android Version
• $d = User Language
• $e = Device Model

Live example in use: AwesomeMobileApp/9.5.9 (iPhone OS 9.3.2; iPhone7,2) Mobile App

Search Example:

sourcetype=iis_logs UserAgent=awesomemobileapp* | stats count as total count(eval(http_status<400)) as success | eval perc=success/total*100 | fields perc

Right now, the above search works great for getting both iOS and Android, but I really need to be able to split it between the two.

Thanks,

sundareshr · ‎09-20-2016

Try this

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count as total count(eval(os="Android" AND http_status<400)) as AndroidSuccess  count(eval(os="iPhone" AND http_status<400)) as iOSSuccess| eval perc_Android=AndroidSuccess /total*100 | eval perc_iOS=iOSSuccess/total*100 | fields perc

*OR*

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count(eval(http_status<400)) as Success BY os | addtotals | eval perc_Android=Android/Total*100 | eval perc_iOS=iPhone/Total*100 | fields perc

How to edit my search to categorize User Agent by Mobile OS?

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?