Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to categorize User Agent by Mobile OS?

evanleair
Explorer
‎09-20-2016 12:53 PM

Hello Splunk Masters,

I'm working on a radial gauge that will show successful IIS requests. I need to be able to build out a search to separate results by either Android or iOS. Here's how an example of how we build out the USER agent:

userAgent = “$a/$b (Linux; Android $c; $d; $e) Mobile App

With Parameters:

• $a = App Name (varies per app)
• $b = App Version
• $c = Android Version
• $d = User Language
• $e = Device Model

Live example in use: AwesomeMobileApp/9.5.9 (iPhone OS 9.3.2; iPhone7,2) Mobile App

Search Example:

sourcetype=iis_logs UserAgent=awesomemobileapp* | stats count as total count(eval(http_status<400)) as success | eval perc=success/total*100 | fields perc

Right now, the above search works great for getting both iOS and Android, but I really need to be able to split it between the two.

Thanks,

Reply

sundareshr
Legend
‎09-20-2016 01:27 PM

Try this

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count as total count(eval(os="Android" AND http_status<400)) as AndroidSuccess  count(eval(os="iPhone" AND http_status<400)) as iOSSuccess| eval perc_Android=AndroidSuccess /total*100 | eval perc_iOS=iOSSuccess/total*100 | fields perc

*OR*

 sourcetype=iis_logs UserAgent=awesomemobileapp* | rex field=UserAgent "(?<os>iPhone|Android)" | stats count(eval(http_status<400)) as Success BY os | addtotals | eval perc_Android=Android/Total*100 | eval perc_iOS=iPhone/Total*100 | fields perc
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...