Splunk Search

Useragent regex is not working

Path Finder

I am trying to create a regex to capture different types of browsers and I found that I need to have useragent setup for that which is another regex So I tried creating a field extraction which is not working for me so I need help to figure out what I need to do.

1) Goal is to display a chart with X IP's are hitting IE and Y are hitting Firefox so on
2) What I need to accomplish this ? I have a access log which looks like this
2XX.1XX.XX.1XX - - [04/Apr/2015:17:14:24 -0400] "POST /ABC_Call/History.do HTTP/1.1" 200 22480 - - - "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 1106670 /ABC_Call/History.do
So Above access log shows I am using IE 5.01

I used \s\"(?P<http_user_agent>[^"]+) THIS IS Not working for me

I tried this to make it work

index="cc_web" sourcetype=* | rex field=_raw "\s\"(?P<http_user_agent>[^"]+)"
Error: Mismatched ']'

tried to resolve but doesnt work anything

then I found something like this which I cannot use because it says useragent
sourcetype="access_combined" useragent!="-" AND useragent!="Apache" AND useragent!="Load-weight" AND useragent!="Java" AND useragent!="Jakarta Commons-HttpClient" | stats count(eval(match(useragent, "Firefox"))) as "Firefox", count(eval(match(useragent, "Chrome"))) as "Chrome", count(eval(match(useragent, "Safari"))) as "Safari", count(eval(match(useragent, "MSIE"))) as "IE", count(eval(NOT match(useragent, "Chrome|Firefox|Safari|MSIE"))) as "Other"

Please help

0 Karma

Esteemed Legend

Try this (replace the &lt; and &gt; with "<" and ">"):

... | rex "\"(?&lt;http_user_agent&gt;[^\"]+)\"[^\"]+$"
0 Karma

Path Finder

ndex="cc_web" sourcetype=* | rex field=_raw "s"(?P<http_user_agent>[^"]+)"

Mismatched ']'.

0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...