Splunk Search

How to edit my search to categorize User Agent by Mobile OS?

evanleair
Explorer

Hello Splunk Masters,

I'm working on a radial gauge that will show successful IIS requests. I need to be able to build out a search to separate results by either Android or iOS. Here's how an example of how we build out the USER agent:

userAgent = “$a/$b (Linux; Android $c; $d; $e) Mobile App

With Parameters:

• $a = App Name (varies per app)
• $b = App Version
• $c = Android Version
• $d = User Language
• $e = Device Model

Live example in use: AwesomeMobileApp/9.5.9 (iPhone OS 9.3.2; iPhone7,2) Mobile App

Search Example:

sourcetype=iis_logs UserAgent=awesomemobileapp* | stats count as total count(eval(http_status<400)) as success | eval perc=success/total*100 | fields perc

Right now, the above search works great for getting both iOS and Android, but I really need to be able to split it between the two.

Thanks,

sundareshr
Legend

Try this

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count as total count(eval(os="Android" AND http_status<400)) as AndroidSuccess  count(eval(os="iPhone" AND http_status<400)) as iOSSuccess| eval perc_Android=AndroidSuccess /total*100 | eval perc_iOS=iOSSuccess/total*100 | fields perc

*OR*

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count(eval(http_status<400)) as Success BY os | addtotals | eval perc_Android=Android/Total*100 | eval perc_iOS=iPhone/Total*100 | fields perc
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...