Hi everyone,
I have a questions in regards to the data representation in Splunk.
The sample user agent field we have is:
ua = Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; ASUS Transformer Pad TF300T Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Whenever I build a report based around the ua field, it's being represented by the full value string.
I wonder if there is a way to tell Splunk to only display either a device name or OS version based on the regular expression? In other words the above list will look like:
Or
To give you a better understanding, the reports that I need to create are:
Top device models hourly over a period of time
Top OS versions hourly over a period of time
Thanks,
Max
There is an app that provides a dynamic lookup for user agent strings; it is called TA-uas_parser. Download it from
http://apps.splunk.com/app/1007
It's free. The user agent string can be very complex. I don't recommend that you build this yourself.
Sure. You could create field extractions that return those kinds of values from the user agent string, however be advised that parsing user agent strings is a nightmare - there's really no standard for what a UA string should look like, at all. It's probably a good idea to make use of previous work within this area, for instance the mappings that the web intelligence app creates:
http://splunk-base.splunk.com/apps/28994/splunk-app-for-web-intelligence