Solved: How to write a query that will separate browser se...

jpringle03 · ‎10-12-2016

I'm currently trying to write a query that will let me separate the follow "browser" sections in this JSON array into separate events, preferably with the rest of the data in the output still being included.

The problem I'm running into at the moment is when I try to write a query for returning only the count for different versions of Chrome, in a situation where there is another browser present in the record, I'm getting "browser_version" field of the other browser being included as well.

An example of this query is:

index=security browser_family "browsers{}.browser_family"=Chrome*| spath "browsers{}.browser_version" | chart count by browsers{}.browser_version | sort browsers{}.browser_version`


 {
            "browsers": [{
                "browser_family": "Chrome",
                "browser_version": "51.0.2704.103",
                "flash_version": "22.0.0.0",
                "java_version": "uninstalled"
            },
            {
                "browser_family": "Safari",
                "browser_version": "9.1.1",
                "flash_version": "uninstalled",
                "java_version": "1.8.0.45",
                "last_used": 1474483713
            }],
            "email": "ejennings@example.com",
            "epkey": "EP18JX1A10AB102M2T2X",
            "model": "",
            "os_family": "Mac OS X",
            "os_version": "10.11.5",
            "type": "",
            "username": "ejennings"
        }

Any ideas of how I could accomplish this?

sundareshr · ‎10-12-2016

See if this helps

 index=security browser_family "browsers{}.browser_family"=Chrome*| spath "browsers{}.browser_version" | rename "browsers{}.*" AS * | eval z=mvzip(browser_family, mvzip(browser_version, mvzip(flash_version,  java_version))) | mvexpand z | rex field=z "(?<family>[^,]+),(?<version>[^,]+),(?<flash_version>[^,]+),(?<java_version>.*)" | fields family version flash_version java_version | where match(family, "Chrome") |  chart count values(*) as * by version | sort version

View solution in original post

somesoni2 · ‎10-12-2016

Give this a try

index=security browser_family "browsers{}.browser_family"=Chrome*
| spath "browsers{}.browser_version" 
| eval Browser_Version=mvzip('browsers{}.browser_family','browsers{}.browser_version',"#")
| stats count by Browser_Version | where match(Browser_Version,"Chrome") | replace "Chrome#*" with "*"  in Browser_Version

Updated

index=security browser_family "browsers{}.browser_family"=Chrome*
| spath "browsers{}.browser_version" 
| eval Browser_Version=mvzip('browsers{}.browser_family','browsers{}.browser_version',"#")
| stats count by Browser_Version | where match(Browser_Version,".*Chrome.*") 
| eval Browser_Version=mvindex(split(Browser_Version,"#"),-1)

jpringle03 · ‎10-12-2016

Thanks for the suggestion!

I gave this a try but it still gave an output that contained over browsers:

somesoni2 · ‎10-12-2016

Give the updated answer a try.

jpringle03 · ‎10-12-2016

Hey somesoni2,

Just tried and it stripped out the names from the browser_version field which is a win but is still showing the other browser versions (like Safari and AppleMail)

somesoni2 · ‎10-12-2016

Strange, the match was able to filter on my sample data. Give this a try then

 index=security browser_family "browsers{}.browser_family"=Chrome*
 | spath "browsers{}.browser_version" 
 | eval Browser_Version=mvzip('browsers{}.browser_family','browsers{}.browser_version',"#")
 | stats count by Browser_Version | where like(lower(Browser_Version),"%chrome%") 
 | eval Browser_Version=mvindex(split(Browser_Version,"#"),-1)

jpringle03 · ‎10-12-2016

Still seems to be outputting the other browsers in the data. This was the issue I was having, it seems like it doesn't want to separate out those non-Chrome browsers.

sundareshr · ‎10-12-2016

See if this helps

 index=security browser_family "browsers{}.browser_family"=Chrome*| spath "browsers{}.browser_version" | rename "browsers{}.*" AS * | eval z=mvzip(browser_family, mvzip(browser_version, mvzip(flash_version,  java_version))) | mvexpand z | rex field=z "(?<family>[^,]+),(?<version>[^,]+),(?<flash_version>[^,]+),(?<java_version>.*)" | fields family version flash_version java_version | where match(family, "Chrome") |  chart count values(*) as * by version | sort version

jpringle03 · ‎10-12-2016

When trying this it it gave me:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ', mvzip(flash_version, java_version))))'.

I changed it a little and I think it might be doing what I want, but I need to look into it more. Here is what I have now:

index=security browser_family "browsers{}.browser_family"=Chrome*| spath "browsers{}.browser_version" | rename "browsers{}.*" AS * | eval z=mvzip(browser_family, mvzip(browser_version, mvzip(flash_version,  java_version))) | mvexpand z | rex field=z "(?<family>[^,]+),(?<version>[^,]+),(?<flash_version>[^,]+),(?<java_version>.*)" | fields family version flash_version java_version | where match(family, "Chrome") |  chart count values(*) as * by version | sort version

sundareshr · ‎10-12-2016

You got it! Edited original post to fix typos.

How to write a query that will separate browser sections in a JSON array into separate events?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life