Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

User agent browser type display issue

jaibalaraman
Path Finder
‎05-06-2021 07:08 PM

Hi team 

I tried the below spl eval command 

jaibalaraman_0-1620353060498.png

index=aws Website="*"
| stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

When i use this to my Splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0,  

Thanks

 

Labels (1)
Labels
0 Karma
Reply

jaibalaraman
Path Finder
‎05-10-2021 09:26 PM

However, i am trying to get only the  browser count from the spl query

Mozilla - 400 

Chrome - 500 

IE - 899

Thanks

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-11-2021 06:09 AM

May I suggest the TA-user-agents app (https://splunkbase.splunk.com/app/1843/) rather than re-inventing the wheel?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jaibalaraman
Path Finder
‎05-20-2021 07:22 PM

Hi 

Sorry for the late responce 

Unfortunately TA - user agent app is not support for Splunk cloud user 

jaibalaraman_1-1621563619414.png

Also , TA Browscap app is also  not supported in Splunk 8.0 version

So could you please on this..

 

Thanks 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2021 07:31 AM

This is rather challenging to do in SPL, which explains why the TAs use external commands to parse the URLs.  Perhaps reviewing the TAs will give you ideas on how to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jaibalaraman
Path Finder
‎05-10-2021 09:25 PM

Hi 

yes, i tried Regex it working for individual browser like below sample , 

DeviceUser agentRex command 
IphoneMozilla/5.0 (iPhone; CPU iPhone OS 14_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+\s[^ ]+)\s+(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s+\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s+\w+\/\w+\s(?<browser>\w+)
Ipad Mozilla/5.0 (iPad; CPU OS 12_4_9 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+)\s(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s\w+\/\w+\s(?<browser>\w+)
Window Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edge/87.0.664.66\((?<os_family>\w+)\s+\w+\s+(?<os_version>[^;]+)[^\)]+\)\s(?<browser_egnine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s[^ ]+\s[^ ]+\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)
MacintoshMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"\((?<hardware_type>\w+);\s\w+\s+(?<os_family>\w+)\s(?<os_version>\w+\s[^ ]+\s[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser_version>\w+\/[^ ]+)\s(?<browser>\w+)
Android / Vodoafone\Mozilla/5.0 (Linux; Android 10; SM-A217F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36\(\w+;\s(?<os_family>\w+)\s(?<os_version>\w+);\s(?<device_brand_model>\w+[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)\s(?<hardware_type>\w+)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-07-2021 05:46 AM

To properly help you, we'd need to see examples of the User_Agent strings you're trying to match.

Have you gone to regex101.com to confirm your regular expressions work with the data you have?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top