Dashboards & Visualizations

How to isolate specific results in table output?

beetlegeuse
Path Finder

I have a search being used in a dashboard (note the use of XML encoding for < and > symbols) that leverages the HTTP user agent field to identify browser and device type, then displays results (from highest to lowest volume) in a table. Here's the search:

 

index=foo sourcetype=bar source=*widget.log* http.agent 
| rex field=http_user_agent "(?&lt;useragent&gt;\S+)\s+\((?&lt;deviceType&gt;[A-Za-z0-9 .]+); (?&lt;OSinfo&gt;[A-Za-z0-9 _.;:\/-]+)\).*\) (?&lt;extensions&gt;.+)" 
| eval browserType =  if(match(extensions, "^.*CriOS\/[0-9.]+"),"Chrome for iOS", if(match(extensions, "Google-Read-Aloud"),"Chrome with Google TTS (Text To Speech)", if(match(extensions, "^.*GSA\/[0-9.]+"),"Google Search App for iOS", if(match(extensions, "^.*EdgiOS\/[0-9.]+"),"Edge for iOS", if(match(extensions, "^.*FxiOS\/[0-9.]+"),"Firefox for iOS", if(match(extensions,"^Version\/[0-9.]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions,"^Version\/[0-9.]+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari", if(match(extensions,"^Version\/[0-9.]+\sMobile\/\S+\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Safari for iOS", if(match(extensions, "^.*Edg\/[0-9.]+$$"),"Edge", if(match(extensions, "^.*EdgA\/[0-9.]+$$"),"Edge for Android", if(match(http_user_agent, "^.*rv:11.0.*"),"Internet Explorer 11", if(match(http_user_agent, "^.*Gecko.*Firefox.*"),"Firefox", if(match(http_user_agent, "^.*OPR"),"Opera", if(match(extensions, "^.*Chrome\/[0-9.]+\sSafari\/[0-9.]+$$"),"Chrome", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sSafari\/[0-9.]+$$"),"Chrome for Android", if(match(extensions, "^.*Chrome\/[0-9.]+\sMobile\sDuckDuckGo\/[0-9]+\sSafari\/[0-9.]+$$"),"Chrome for Android","OTHER")))))))))))))))))
| eval deviceType = if(match(http_user_agent,"Windows NT 10.0"),"Windows 10", if(match(http_user_agent,"Windows NT 6.0"),"Windows Vista", if(match(http_user_agent,"Windows NT 6.1"),"Windows 7", if(match(http_user_agent,"Windows NT 6.2"),"Windows 8", if(match(http_user_agent,"Windows NT 6.3"),"Windows 8.1", if(match(http_user_agent,"\(Windows Mobile 10;"),"Windows Mobile 10", if(match(http_user_agent,"iPhone"),"iPhone", if(match(http_user_agent,"X11"),"Linux", if(match(http_user_agent,"\(Linux x86_64;"),"Linux", if(match(http_user_agent,"iPad"),"iPad", if(match(http_user_agent,"Macintosh"),"MacOS", if(match(http_user_agent,"Linux; Android.*;"),"Android", if(match(http_user_agent,"Linux; Android.*\)"),"Android", if(match(http_user_agent,"Android.*; Mobile;"),"Android","OTHER"))))))))))))))
| eval browserDevice = browserType . ":" . deviceType
| stats count as Events by browserDevice | sort - Events

 

(side note: I tried using a Splunkbase TA such as "TA-user-agents" to facilitate the user agent parsing, but I found that it was adding a LOT of time to my search execution...so I just isolated specific user agent fields of interest in my search).

I've recently had an ask to filter the table results to show only the Apple related results returned in the "browserDevice" field (i.e., "Safari:MacOS", "Safari for iOS:iPhone", etc.). The key here is to show each result's percentage share among all possible "browserDevice" results returned (Apple or non-Apple related). I had originally scoped my base search to only include Apple related objects; while only Apple results were returned, the percentages were based on all Apple results as opposed to all Apple/non-Apple results.

The table results should show the count and the percentage share; how would I accomplish this ask?

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

 

| eventstats sum(Events) as allEvents
| where browserDevice = "Safari:MacOS" OR browserDevice = "Safari for iOS:iPhone" etc

 

0 Karma

beetlegeuse
Path Finder

Thank you! I used 

| where browserDevice = "Safari:MacOS" OR like(browserDevice, "%iPhone%") OR like(browserDevice, "%iPad%")

to address all the various iPhone/iPad permutations. 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...