Splunk Search

Narrowing and Generalizing Searches

monicato
Path Finder

Hi!

Is it possible to narrow down this search so that it would group these results by "Interface" and "Mozilla" versus the results I provided below? I want to group all the results into more generalized groups for a simpler dashboard panel.

All these results are in the same field called "user_agent", but I would like to narrow down this search. Anyone know how this could be done? I was thinking of searching for just by keywords? Because most of my results are either "Interface...blah blah" or other... blah blah.

example results

1   "Interface (aaaf4b;win;1.8.3.3;Win7)"       
2   "Interface (aa0b;win;1.8.3.3;WinXP)"    
3   "Interface (aa04b;win;1.8.3.3;Vista)        
4   "Interface (8e0a;mac;1.8.3.3;OS X 10.6.8)"   
5   "Interface (8ea;mac;1.8.3.3;OS X 10.7.4)"      
6   "Interface (8ec0a;mac;1.8.3.3;OS X 10.7.3)"  
7   "Interface (aa04b;win;1.8.3.3;unknown)"    
8   "Interface (8e0a;mac;1.8.3.3;OS X 10.5.8)"  
9   "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WW64; Trident/5.0;CC2;   
10  "Interface" 1124    0.234167   
11  "Interface (8ec0a;mac;1.8.3.3;OS X 10.7.0)"  
12  "Mozilla/4.0 (compatible; MIE 6.0; Windows NT 5.1; V1; 
13  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident   
14  "Interface (8ece0a;mac;1.8.3.3;OS X 10.6.3)  
15  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0;   
16  "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Hi there,

From the context you provide it seems this may be IIS data. If I get your meaning correctly, you should extract the piece of data require and then use that data in the statistical calculation. For example, when performing a search in line, you could use the following:

sourcetype=iis blah blah | rex field=user_agent "(?<field_name>\w+)\s" | stats count by field_name

Of course you can automate this in props.conf so the extraction happens automatically.

I hope this helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...