Solved: UA strings not captured in lookup

pmccomb · ‎12-19-2013

I have this running but it is returning "Unknown" for these http_user_agent values:

1 "Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0)"
2 "Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/31.0.1650.63+Safari/537.36"
3 "Mozilla/5.0+(X11;+U;+Linux+i686)+Web-Security/1.0(it's+for+a+research+study,if+you+have+questions,plz+contact+me+liangw@cs.wisc.edu)"
4 "Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+de;+rv:1.9)+Gecko/2008052906+Firefox/3.0"

Do you know why?

jsie_splunk · ‎12-19-2013

The "+" are causing the issue for TA-browscap. You could try this:

sourcetype="foo" | eval http_user_agent=urldecode(USERAGENT) | lookup browscap_lookup http_user_agent

replacing USERAGENT with the actual field name contain the above string.

View solution in original post

jsie_splunk · ‎12-19-2013

The "+" are causing the issue for TA-browscap. You could try this:

sourcetype="foo" | eval http_user_agent=urldecode(USERAGENT) | lookup browscap_lookup http_user_agent

replacing USERAGENT with the actual field name contain the above string.

pmccomb · ‎12-19-2013

Great... that fixed it. Thank you.

UA strings not captured in lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!