Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

User agent browser type display issue

jaibalaraman
Path Finder
‎05-06-2021 07:08 PM

Hi team 

I tried the below spl eval command 

jaibalaraman_0-1620353060498.png

index=aws Website="*"
| stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

When i use this to my Splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0,  

Thanks

 

Labels (1)
Labels
0 Karma
Reply

jaibalaraman
Path Finder
‎05-10-2021 09:26 PM

However, i am trying to get only the  browser count from the spl query

Mozilla - 400 

Chrome - 500 

IE - 899

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-11-2021 06:09 AM

May I suggest the TA-user-agents app (https://splunkbase.splunk.com/app/1843/) rather than re-inventing the wheel?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jaibalaraman
Path Finder
‎05-20-2021 07:22 PM

Hi 

Sorry for the late responce 

Unfortunately TA - user agent app is not support for Splunk cloud user 

jaibalaraman_1-1621563619414.png

Also , TA Browscap app is also  not supported in Splunk 8.0 version

So could you please on this..

 

Thanks 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2021 07:31 AM

This is rather challenging to do in SPL, which explains why the TAs use external commands to parse the URLs.  Perhaps reviewing the TAs will give you ideas on how to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jaibalaraman
Path Finder
‎05-10-2021 09:25 PM

Hi 

yes, i tried Regex it working for individual browser like below sample , 

DeviceUser agentRex command 
IphoneMozilla/5.0 (iPhone; CPU iPhone OS 14_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+\s[^ ]+)\s+(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s+\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s+\w+\/\w+\s(?<browser>\w+)
Ipad Mozilla/5.0 (iPad; CPU OS 12_4_9 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+)\s(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s\w+\/\w+\s(?<browser>\w+)
Window Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edge/87.0.664.66\((?<os_family>\w+)\s+\w+\s+(?<os_version>[^;]+)[^\)]+\)\s(?<browser_egnine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s[^ ]+\s[^ ]+\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)
MacintoshMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"\((?<hardware_type>\w+);\s\w+\s+(?<os_family>\w+)\s(?<os_version>\w+\s[^ ]+\s[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser_version>\w+\/[^ ]+)\s(?<browser>\w+)
Android / Vodoafone\Mozilla/5.0 (Linux; Android 10; SM-A217F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36\(\w+;\s(?<os_family>\w+)\s(?<os_version>\w+);\s(?<device_brand_model>\w+[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)\s(?<hardware_type>\w+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 05:46 AM

To properly help you, we'd need to see examples of the User_Agent strings you're trying to match.

Have you gone to regex101.com to confirm your regular expressions work with the data you have?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...