much time to get results

alvaro_garcia · ‎06-09-2014

Hi,
I am trying this app in a Splunk 6.1 version.
The app works fine, but takes much time in the command.lookup (159 seconds for 1449 events)
Is there any way to accelerate de process?

gesman · ‎10-16-2014

The only way I found how to get fast stats on Browser usage is to study all browser user agent strings and crafting a custom query like this (my user agent field is named ua - change it accordingly for your case):

sourcetype=...
| fields ua
| eval ua_type = 
    if (match(ua, "Opera| OPR/"), "Opera", 
      if (match(ua, "CriOS|Chrome"), "Chrome", 
        if (match(ua, "Firefox"), "Firefox", 
          if (match(ua, "\((iPad|iPhone|iPod|Macintosh);"), "Safari", 
            if (match(ua, "IEMobile"), "IEMobile", 
              if (match(ua, "MSIE|Trident"), "MSIE", 
                if (match(ua, "Linux") AND match(ua, "Android"), "Android Browser", 
                  if (match(ua, "CFNetwork") AND match(ua, "Darwin"), "Apple Safari Crawler", 
                    "Other"
      ))))))))
| where ua_type != "Apple Safari Crawler" AND ua_type != "Other"
| top ua_type limit=0
| rename ua_type as "Browser Type"
| sort - count

This search query will run like 500 faster. If I'll have time - i could include more variables, such as platform and device into it. Browscap gets really huge and using it as a lookup method will slow things more and more with every update.

much time to get results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!