Splunk Search

eval if to post on part of a string

Bassik
Path Finder

I have a question on the use of eval on a UA String. I want to do a lookup on a UA String and call out the version of Chrome the UA String has. At the moment I have covered most UA Strings however I would to display only a part of the UA String to table that into a count stats.

Current UA String =

Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/80.0.3987.149+Safari/537.36

At the moment I just have everything other then IE to list as other, however, I'd like to list that as the Chrome Browser Version.

This is my current search:

| eval Browser=case(like(cs_User_Agent,"%;+MSIE+8.0;%"), "Internet Explorer 8", like(cs_User_Agent,"%+MSIE+ 7.0%"), "Internet Explorer 8", like(cs_User_Agent,"%;+MSIE+9.0;%"), "Internet Explorer 9", like(cs_User_Agent,"%;+MSIE+10.0;%"), "Internet Explorer 10", like(cs_User_Agent,"%;+rv:11.0%"), "Internet Explorer 11", like(cs_User_Agent,"%;+Trident/7.0;+%"), "Internet Explorer 11", 1==1, "Other")

 

Annotation 2020-07-29 130802.png

Labels (1)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

One approach you could take is to do it like this

 

| rex field=cs_User_Agent "(?<BrowserInfo>(\+rv|Trident|MSIE|Chrome).[^\+;]*)"
| rex field=BrowserInfo "[:\/ ](?<Version>.*)"
| eval Browser=case(match(BrowserInfo, "^Trident|MSIE|rv"), "Internet Explorer", match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")
| eval Browser=if(!isnull(Version),Browser." ".Version, Browser)

Rather than having a long expensive case/like statement, it attempts to get the browser family to the BrowserInfo field and then to get the version from there.

It may not do exactly what you are after, there are hundreds of UA strings around, but it might give you a different path to solving the problem.

Hope this helps

 

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

One approach you could take is to do it like this

 

| rex field=cs_User_Agent "(?<BrowserInfo>(\+rv|Trident|MSIE|Chrome).[^\+;]*)"
| rex field=BrowserInfo "[:\/ ](?<Version>.*)"
| eval Browser=case(match(BrowserInfo, "^Trident|MSIE|rv"), "Internet Explorer", match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")
| eval Browser=if(!isnull(Version),Browser." ".Version, Browser)

Rather than having a long expensive case/like statement, it attempts to get the browser family to the BrowserInfo field and then to get the version from there.

It may not do exactly what you are after, there are hundreds of UA strings around, but it might give you a different path to solving the problem.

Hope this helps

 

 

Bassik
Path Finder

Hi, this is great for Chrome but now it's all wrong with Internet Explorer. The results I get are not correct. Most of these are IE11 and yet I am now getting IE7. The Trident version is 7.0 but IE11 moved away from MSIE versions since IE11 and now its on the Trident platform.

I think I need to drill down on what you're syntax is as I am not famliar with rex.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I suspected, it wouldn't be the perfect hammer 🙂

The rex statement uses regular expressions to extract fields from your data, so my example showed a simple pattern based on some UA header examples, but as there are so many, it may be challenging to get a good pattern.

When playing with regular expressions, you can use this site to test your patterns.

https://regex101.com/

 

0 Karma

Bassik
Path Finder

Ok thanks, would it be reasonable to combine mine with yours. As I have Internet Explorer down its just the Chrome field I need and that is consistent.

Issue when I tried is that one overwrites the other so "Other" replaces all IE or vica versa all Chrome replaces "Other" if you get my idea?

This is what I had just to capture Chrome:

| rex field=cs_User_Agent "(?<BrowserInfo>(\Chrome).[^\+;]*)"

| rex field=BrowserInfo "[:\/ ](?<Version>.*)"

| eval Browser=case(match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")

| eval Browser=if(!isnull(Version),Browser." ".Version, Browser)

| table LHD, cs_username, a_app, cs_User_Agent, Browser, BrowserInfo, Version,  a_request, _time | dedup cs_username sortby +LHD

this look ok

0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you have already set Browser with your existing case statement, then when assigning a new value for the Chrome, you can avoid it overwriting Browser like this

| eval Browser=case(!isnull(Browser), Browser, match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")

So the first case statement will check if Browser is already set and go no further with other cases.

 

0 Karma

Bassik
Path Finder

Great that worked however, now I have to create two new fields. Is there a way to append the results into all BrowserInfo?

Bassik_0-1596067009176.png

this is the code:

| rex field=cs_User_Agent "(?<BrowserInfo>(\Chrome).[^\+;]*)"
| rex field=BrowserInfo "[:\/ ](?<Version>.*)"
| eval Browser=case(match(BrowserInfo, "^Chrome"), "Chrome")
| eval Browser=if(!isnull(Version),Browser." ".Version, Browser)
| eval Browser=case(like(cs_User_Agent,"%;+MSIE+8.0;%"), "Internet Explorer 8", like(cs_User_Agent,"%+MSIE+ 7.0%"), "Internet Explorer 8", like(cs_User_Agent,"%;+MSIE+9.0;%"), "Internet Explorer 9", like(cs_User_Agent,"%;+MSIE+10.0;%"), "Internet Explorer 10", like(cs_User_Agent,"%;+rv:11.0%"), "Internet Explorer 11", like(cs_User_Agent,"%;+Trident/7.0;+%"), "Internet Explorer 11", 1==1, "Other") | eval OS=case(like(cs_User_Agent,"%Windows+NT+5.1%"), "Windows XP", like(cs_User_Agent,"%Windows+NT+ 6.0;%"), "Windows Vista", like(cs_User_Agent,"%Windows+NT+6.1;%"), "Windows 7", like(cs_User_Agent,"%Windows+NT+6.2%"), "Windows 8", like(cs_User_Agent,"%Windows+NT+6.3;%"), "Windows 8.1", like(cs_User_Agent,"%Windows+NT+10.0;%"), "Windows 10", 1==1, "Other") | eval Browser=case(!isnull(Browser), Browser, match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")

0 Karma

bowesmana
SplunkTrust
SplunkTrust
| eval BrowserInfo=coalesce(BrowserInfo, Browser)

Bassik
Path Finder

Legend, this worked great. Just one concern I have. The addition of this line, below, is only looking for Chrome, If Internet Explorer was in the Browser field it would list it as "Other"? 

| eval Browser=case(!isnull(Browser), Browser, match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")

| rex field=cs_User_Agent "(?<BrowserInfo>(\Chrome).[^\+;]*)"
| rex field=BrowserInfo "[:\/ ](?<Version>.*)"
| eval Browser=case(match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")
| eval Browser=if(!isnull(Version),Browser." ".Version, Browser)
| eval Browser=case(like(cs_User_Agent,"%;+MSIE+8.0;%"), "Internet Explorer 8", like(cs_User_Agent,"%+MSIE+ 7.0%"), "Internet Explorer 8", like(cs_User_Agent,"%;+MSIE+9.0;%"), "Internet Explorer 9", like(cs_User_Agent,"%;+MSIE+10.0;%"), "Internet Explorer 10", like(cs_User_Agent,"%;+rv:11.0%"), "Internet Explorer 11", like(cs_User_Agent,"%;+Trident/7.0;+%"), "Internet Explorer 11", like(cs_User_Agent,"%+Chrome%"), "Chrome", 1==1, "Other")
| eval OS=case(like(cs_User_Agent,"%Windows+NT+5.1%"), "Windows XP", like(cs_User_Agent,"%Windows+NT+ 6.0;%"), "Windows Vista", like(cs_User_Agent,"%Windows+NT+6.1;%"), "Windows 7", like(cs_User_Agent,"%Windows+NT+6.2%"), "Windows 8", like(cs_User_Agent,"%Windows+NT+6.3;%"), "Windows 8.1", like(cs_User_Agent,"%Windows+NT+10.0;%"), "Windows 10", 1==1, "Other")
| eval Browser=case(!isnull(Browser), Browser, match(BrowserInfo, "^Chrome"), "Chrome", 1==1,"Other")
| eval BrowserInfo=coalesce(BrowserInfo, Browser, Version)
| table LHD, cs_username, a_app, OS, BrowserInfo, _time, cs_User_Agent

0 Karma

bowesmana
SplunkTrust
SplunkTrust

No, the first case statement

!isnull(Browser), Browser

is saying that if the Browser field is currently NOT NULL, then use the existing value of Browser field, so if it is already set to Internet Explorer, it will use that value. Only if the Browser field is null then it will go on to the match/other clauses of the case statement.

 

0 Karma

Bassik
Path Finder

Ok so it all good then?

 

Big thanks buddy

0 Karma

Bassik
Path Finder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...