All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TA-user-agents: Why are some user agents showing as unknown, and how do we add these into the lookup definitions?

robertgoolsby
Engager
‎09-09-2015 11:16 AM

It looks like there are a handful of user agents that show up as unknown:

Mozilla/5.0+(iPhone;+CPU+iPhone+OS+7_1_1+like+Mac+OS+X)+AppleWebKit/537.51.2+(KHTML,+like+Gecko)+Mobile/11D201
Mozilla/5.0+(iPad;+CPU+OS+8_4_1+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Mobile/12H321
Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.34209
Mozilla/5.0+(iPhone;+CPU+iPhone+OS+8_3+like+Mac+OS+X)+AppleWebKit/600.1.4+(KHTML,+like+Gecko)+Mobile/12F70

How do we get these added into the lookup definitions? Manually though the .yaml?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎09-09-2015 11:53 AM

One thing you may want to try doing is removing the "+" symbols from the user-agent string (some of the regexes in the YAML do use spaces). Something like:

eval http_user_agent = replace(http_user_agent,"+"," ")

If that doesn't work, then you may need to edit the regexes. This can be done by editing the regexes.yaml, but be aware that those changes may be overwritten on an upgrade.

HTH,

Dave

View solution in original post

Reply
Solved! Jump to solution
Solution

dshpritz
SplunkTrust
SplunkTrust
‎09-09-2015 11:53 AM

One thing you may want to try doing is removing the "+" symbols from the user-agent string (some of the regexes in the YAML do use spaces). Something like:

eval http_user_agent = replace(http_user_agent,"+"," ")

If that doesn't work, then you may need to edit the regexes. This can be done by editing the regexes.yaml, but be aware that those changes may be overwritten on an upgrade.

HTH,

Dave

Reply
Solved! Jump to solution

robertgoolsby
Engager
‎09-09-2015 12:26 PM

Close - needed the slash:

eval http_user_agent = replace(http_user_agent,"\+"," ")
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...