Splunk Search

How to extract device name and OS version from User Agent field

zucler
Explorer

Hi everyone,

I have a questions in regards to the data representation in Splunk.

The sample user agent field we have is:

ua = Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; ASUS Transformer Pad TF300T Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Whenever I build a report based around the ua field, it's being represented by the full value string.

alt text

I wonder if there is a way to tell Splunk to only display either a device name or OS version based on the regular expression? In other words the above list will look like:

  • iPad 1
  • iPad 2
  • Samsung Galaxy
  • ASUS Transformer Pad
  • List item

Or

  • Android 4.0.3
  • iOS 3.2
  • iOS 4.1
  • Android 3.1.3

To give you a better understanding, the reports that I need to create are:

Top device models hourly over a period of time

Top OS versions hourly over a period of time

Thanks,
Max

0 Karma

lguinn2
Legend

There is an app that provides a dynamic lookup for user agent strings; it is called TA-uas_parser. Download it from

http://apps.splunk.com/app/1007

It's free. The user agent string can be very complex. I don't recommend that you build this yourself.

Ayn
Legend

Sure. You could create field extractions that return those kinds of values from the user agent string, however be advised that parsing user agent strings is a nightmare - there's really no standard for what a UA string should look like, at all. It's probably a good idea to make use of previous work within this area, for instance the mappings that the web intelligence app creates:

http://splunk-base.splunk.com/apps/28994/splunk-app-for-web-intelligence

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...