Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help with regex

theouhuios
Motivator
‎11-26-2012 11:47 AM

Hello

I am trying to get the browser information from the below raw data and haven't been able to do so. Can anyone please explain how to get the information? I haven't yet been able to successfully write complex regex expressions.

2012-11-26 19:41:42  10.64.182.218 GET /_js/mbox.js - 80 - 10.64.182.224 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+MS-RTC+LM+8;+.NET4.0C;+.NET4.0E)

Regards

theou

Tags (1)
0 Karma
Reply

tpederson
Path Finder
‎11-26-2012 01:34 PM

I couldn't find a definitive list of permissible characters for user agent strings. So, as long as all log entries are the same you can try this regex:

\S*$

That just means anything that's not a space at the end of the log entry. Since the parts of the log entry are delineated by spaces, you should be good to go with that. Otherwise you can try something like:

Mozilla[\.\d\w:;+/()-]*

Which is "Mozilla" followed by all the characters I found in example user agent strings. Also, try :

Mozilla[^\s]*

Which just means anything not a space following "Mozilla".

Regex is complicated but powerful, its worth learning.

0 Karma
Reply

Ayn
Legend
‎11-26-2012 01:25 PM

This app could very well be exactly what you're looking for. http://splunk-base.splunk.com/apps/48017/ta-uas_parser

0 Karma
Reply

Ayn
Legend
‎11-26-2012 01:22 PM

Sorry, the task of making sense out of user agent strings is ridiculously complex, because there's simply no universal standard for how they're formatted. The web analytics app might have some inbuilt support for this.

0 Karma
Reply

theouhuios
Motivator
‎11-26-2012 12:21 PM

Oh. I get it now what you meant. Any idea on how to approach this?

0 Karma
Reply

Ayn
Legend
‎11-26-2012 12:18 PM

That's my point - if you just catch the initial "Mozilla" you won't be able to differentiate between browsers at all. Both Opera and Internet Explorer commonly use "Mozilla" at the beginning of their user-agent string.

0 Karma
Reply

theouhuios
Motivator
‎11-26-2012 12:15 PM

That's fine. In the whole raw data there are few in Opera and Internet Browser too. I just need to make a table to determine which browsers where the most used.

0 Karma
Reply

Ayn
Legend
‎11-26-2012 12:08 PM

You do know that pretty much all browsers use "Mozilla" in their user-agent string? http://en.wikipedia.org/wiki/User_agent#Format

0 Karma
Reply

theouhuios
Motivator
‎11-26-2012 12:03 PM

Nope. Just the browser info. In this data only Mozilla.

0 Karma
Reply

Ayn
Legend
‎11-26-2012 11:59 AM

Which info do you want? The whole user-agent string?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...