Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a regular expression for extracting OS version number from User Agent in my sample data?

pradjswl
Explorer
‎04-11-2017 09:15 AM

How do we write a regular expression to extract a OS version from the User Agent considering the fact that UserAgent format is not always consistent? I searched this forum, and found there was similar thread where a Splunk App was suggested to user. However I am regular user, and my Splunk admin doesn't allow me the permission to install any Splunk app. Is there a way I can write regular expression to extract this info as this is present in the UserAgent?

Sample: 

Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 01:34 PM

In regex101 you can use the following to get the first two fields extracted (using multiline):

\((?P<os>[^;]+);(?P<vers>[^;)]+).*$

Does that give you what you want from the data? or is there more that you need to use?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 01:34 PM

In regex101 you can use the following to get the first two fields extracted (using multiline):

\((?P<os>[^;]+);(?P<vers>[^;)]+).*$

Does that give you what you want from the data? or is there more that you need to use?

0 Karma
Reply
Solved! Jump to solution

pradjswl
Explorer
‎04-11-2017 02:33 PM

This works great.

PS1 : I dont see an option to accept this as answer for this thread.
PS 2: I would raise a new thread "How to create a extracted filed using regex on existing field" ? By default regex uses _raw field in the field extractor. I dont want to use regex as part of the query but I want a field to be created in the event/app like calculated filed so it always stay as new field rather than specifying in the search query.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 02:39 PM

Now you can accept this answer.

For your other question, just start a new question, since additional questions within a question are highly discouraged. It will get answered.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 09:27 AM

As you say, "UserAgent format is not always consistent." Please provide more than one example string that you feel you need to extract from. If you have 20 significantly differing formats, please provide a good number of them as examples.

0 Karma
Reply
Solved! Jump to solution

pradjswl
Explorer
‎04-11-2017 09:33 AM

ty @cpetterborg for your response.

These are the sample of User agent

Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27

Mozilla/5.0 (Linux; Android 7.0; SAMSUNG-SM-G930A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E304

Mozilla/5.0 (Linux; Android 7.0; SAMSUNG-SM-G935A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (iPad; CPU OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E304

Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1

Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G920A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 7.0; LG-H820 Build/NRD90U; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G935A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (iPad; CPU OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1

Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Mobile/14E277

Mozilla/5.0 (iPad; CPU OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27
Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100

Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13F69

Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456

Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0

Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G900A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-N920A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) Mobile/14C92

Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG-SM-G928A Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.132 Mobile Safari/537.36

Mozilla/5.0 (Linux; Android 6.0.1; SM-N920T Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 09:52 AM

Does this give you some information that you can use, and if so, what info is of most use to you?:

<yoursearch> | rex "\((?P<osinfo>[^\)]+)\)" | rex field=osinfo "(?P<os>[^;]+);(?P<vers>[^;]+)(;(?P<etc>[^;]+))?" | stats count by os, vers
0 Karma
Reply
Solved! Jump to solution

pradjswl
Explorer
‎04-11-2017 11:38 AM

I am validating in regex101.com , but it desont return any result. Are you able to get the result ? I am checking for 1st sample Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27 .
OS version in this case is 10_2_1. If you are getting the right result, could you please share the screen shot too ?

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-11-2017 01:23 PM

I brought your data (the example lines) into my local machine and did the field extractions inside of Splunk, so it worked fine for me.

alt text

0 Karma
Reply
Solved! Jump to solution

pradjswl
Explorer
‎04-11-2017 12:39 PM

UserAgent has different format for iOS & Andorid as we can see below,

Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Mobile/14D27

Mozilla/5.0 (Linux; Android 7.0; SAMSUNG-SM-G930A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

I would like to extract them as "iPhone OS 10_2_1" & "Android 7.0" , would that be possible ? I am struggling to put OR condition where it would check different format based on iOS & Andoird

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...