Re: User agent browser type display issue

jaibalaraman · ‎05-06-2021

Hi team

I tried the below spl eval command

index=aws Website="*"
| stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

When i use this to my Splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0,

Thanks

jaibalaraman · ‎05-10-2021

However, i am trying to get only the browser count from the spl query

Mozilla - 400

Chrome - 500

IE - 899

Thanks

richgalloway · ‎05-11-2021

May I suggest the TA-user-agents app (https://splunkbase.splunk.com/app/1843/) rather than re-inventing the wheel?

---
If this reply helps you, Karma would be appreciated.

jaibalaraman · ‎05-20-2021

Hi

Sorry for the late responce

Unfortunately TA - user agent app is not support for Splunk cloud user

Also , TA Browscap app is also not supported in Splunk 8.0 version

So could you please on this..

Thanks

richgalloway · ‎05-21-2021

This is rather challenging to do in SPL, which explains why the TAs use external commands to parse the URLs. Perhaps reviewing the TAs will give you ideas on how to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.

jaibalaraman · ‎05-10-2021

Hi

yes, i tried Regex it working for individual browser like below sample ,

Device	User agent	Rex command
Iphone	Mozilla/5.0 (iPhone; CPU iPhone OS 14_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Mobile/15E148 Safari/604.1	\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+\s[^ ]+)\s+(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s+\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s+\w+\/\w+\s(?<browser>\w+)
Ipad	Mozilla/5.0 (iPad; CPU OS 12_4_9 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1	\((?<hardware_type>\w+);\s+[^ ]+\s(?<os_family>\w+)\s(?<os_version>\w+)\s[^ ]+\s[^ ]+\s\w+\s\w.\s(?<browser_engine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s+(?<browser_version>\w+\/[^ ]+)\s\w+\/\w+\s(?<browser>\w+)
Window	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edge/87.0.664.66	\((?<os_family>\w+)\s+\w+\s+(?<os_version>[^;]+)[^\)]+\)\s(?<browser_egnine>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s[^ ]+\s[^ ]+\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)
Macintosh	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"	\((?<hardware_type>\w+);\s\w+\s+(?<os_family>\w+)\s(?<os_version>\w+\s[^ ]+\s[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser_version>\w+\/[^ ]+)\s(?<browser>\w+)
Android / Vodoafone\	Mozilla/5.0 (Linux; Android 10; SM-A217F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.101 Mobile Safari/537.36	\(\w+;\s(?<os_family>\w+)\s(?<os_version>\w+);\s(?<device_brand_model>\w+[^ ]+)\s(?<browser_enginer>\w+)\/(?<brow_engine_version>\w+[^ ]+)\s\(.+\)\s(?<browser>\w+)\/(?<browser_version>\w+[^ ]+)\s(?<hardware_type>\w+)

richgalloway · ‎05-07-2021

To properly help you, we'd need to see examples of the User_Agent strings you're trying to match.

Have you gone to regex101.com to confirm your regular expressions work with the data you have?

---
If this reply helps you, Karma would be appreciated.

User agent browser type display issue

eval

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor