Security

Browser type Display issues with Useragent

puneetkharband1
Path Finder

I have a query which is giving me different types of browser stats but when I try to display that in a pie chart it shows only one of those browsers as overall

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | sort by User_Agent

If I display using Bar chart it shows firefox/firefox firefox chrome, firefox IE so on
if I display using Pie chart it shows only first of the browser matched

Please let me knw what is the best possible way to display the browsers.

1 Solution

ramdaspr
Contributor

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

View solution in original post

ramdaspr
Contributor

When you invoke multiple count commands you are creating multiple columns in the output table i.e. multiple data series and a pie chart can use only a single data series which is why only the first browser is showing up in the chart.

You need to add a transpose the command before sorting for it to become a single data series which can be used for graphing.

index = "cc_web" sourcetype = * | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

cangur
New Member

When i use this to my splunk script, it gives all data to "Other". Firefox=0, Chrome=0 IE=0

Why is that? please guide me thanks 

 

index=apache hostdomain=sube.garantibbva.com.tr (uri="/isube/login/pinverify*" OR uri="/isube/login/login/smspinverify*" OR uri="/isube/login/mobiletokenverify*") | stats count(eval(match(User_Agent, "Firefox"))) as "Firefox", count(eval(match(User_Agent, "Chrome"))) as "Chrome", count(eval(match(User_Agent, "Safari"))) as "Safari", count(eval(match(User_Agent, "MSIE"))) as "IE", count(eval(match(User_Agent, "Trident"))) as "Trident", count(eval(NOT match(User_Agent, "Chrome|Firefox|Safari|MSIE|Trident"))) as "Other" | transpose | sort by User_Agent

 

Tags (1)
0 Karma

justdan23
Path Finder

I like this as a simple, basic check to identify the Browser Type without too much complexity.

Ideally, it would be nice to parse out specifics, but starting with something basic does answer the mail on this question.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...