We use a Python script as you mentioned for this, but the logic in the Python script is simple enough to build into the Splunk search language directly. You can use the eval match() command to map out the different fields.
This example assumes you've already extracted out the user-agent string to a field named useragent, you could use _raw to start with if you don't have that field extracted.
* | eval os = case(match(useragent,"Windows .. 5\.1"),"Windows XP",match(useragent,"droid"),"Android",match(useragent,"Windows NT 6.1"),"Windows 7") | eval browser = case(match(useragent,"MSIE 10.0"),"Internet Explorer 10.0",match(useragent,"Chrome"),"Chrome",match(useragent,"Safari/"),"Safari") | eval arch = case(match(useragent,"droid"),"android",match(useragent,"iPad"),"ipad",match(useragent,"iPod"),"ipod")
I just picked three from each mapping, the search will get quite long implementing this way, and you'd want to add something to handle the case where it doesn't match anything. I'd definitely advise getting the approval from whoever necessary to put this into a script instead.
We use this script internally, you'd have to update it for IE 11:
https://github.com/JustinAzoff/splunk-scripts/blob/master/ua2os.py
Funny fact, when I tested this on our data, someone was in fact viewing our site with an iPod in the first 20 results. Who knew?
If you really really want a lookup, you could append "| fields useragent os browser arch | outputlookup useragentfields.csv" to the search and generate a lookup file from the results. You could then maybe schedule this as a saved search to run every five minutes, appending to your lookup file. The disadvantage is anytime you use this lookup, it'll only work if you've already seen the exact useragent before.
... View more