Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract device name and OS version from User Agent field

zucler
Explorer
‎05-11-2012 02:25 AM

Hi everyone,

I have a questions in regards to the data representation in Splunk.

The sample user agent field we have is: 

ua = Mozilla/5.0 (Linux; U; Android 4.0.3; en-us; ASUS Transformer Pad TF300T Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30

Whenever I build a report based around the ua field, it's being represented by the full value string.

alt text

I wonder if there is a way to tell Splunk to only display either a device name or OS version based on the regular expression? In other words the above list will look like:

  • iPad 1
  • iPad 2
  • Samsung Galaxy
  • ASUS Transformer Pad
  • List item

Or

  • Android 4.0.3
  • iOS 3.2
  • iOS 4.1
  • Android 3.1.3

To give you a better understanding, the reports that I need to create are:

Top device models hourly over a period of time

Top OS versions hourly over a period of time

Thanks,
Max

0 Karma
Reply

lguinn2
Legend
‎09-16-2013 09:19 PM

There is an app that provides a dynamic lookup for user agent strings; it is called TA-uas_parser. Download it from

http://apps.splunk.com/app/1007

It's free. The user agent string can be very complex. I don't recommend that you build this yourself.

Reply

Ayn
Legend
‎05-11-2012 02:37 AM

Sure. You could create field extractions that return those kinds of values from the user agent string, however be advised that parsing user agent strings is a nightmare - there's really no standard for what a UA string should look like, at all. It's probably a good idea to make use of previous work within this area, for instance the mappings that the web intelligence app creates:

http://splunk-base.splunk.com/apps/28994/splunk-app-for-web-intelligence

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...