Hi
I'm trying to check a field for an OS. If Windows, then replace the entire field with "Windows". If mac is found, then replace the entire field with "Mac" Etc. It seems like only the second match works. Anyone know why?
Current Search:
...
| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)
Sample Data:
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; PRU_IE; rv:11.0) like Gecko
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18
You're writing the OS
field in the second eval
, regardless of a match or not: Either with "Windows"
or with User_Agent
. Instead, make the if()
preserve the current value like this:
...
| eval OS=if(match(User_Agent,"(?i)mac"),"Macintosh",OS)
| eval OS=if(match(User_Agent,"(?i)windows"),"Windows",OS)
Note that I made the regular expressions case insensitive. Additionally, be careful about accidentally matching other parts of the string. I'm pretty sure the web already has working examples of how to regex out the OS from a user agent, maybe even on splunkbase.
They are both working, but your second eval is overwriting the OS value of your first.
Change the second to:
| eval OS=if(match(User_Agent,"windows"),"Windows",OS)
Everyone said, "your overwriting". For some reason when I read your "you're overwriting" the light bulb turned on. Thanks.
You're writing the OS
field in the second eval
, regardless of a match or not: Either with "Windows"
or with User_Agent
. Instead, make the if()
preserve the current value like this:
...
| eval OS=if(match(User_Agent,"(?i)mac"),"Macintosh",OS)
| eval OS=if(match(User_Agent,"(?i)windows"),"Windows",OS)
Note that I made the regular expressions case insensitive. Additionally, be careful about accidentally matching other parts of the string. I'm pretty sure the web already has working examples of how to regex out the OS from a user agent, maybe even on splunkbase.
Ok. I understand that I'm having a logic issue. I don't see it though. This example works as I want to use it for multiple matches. Appreciate it.
I understand the bad overwrite now. Thanks.
BOOM ! This is the answer.
It 's looks like this?
ex.)
User_Agent:"mac"
| eval OS=if(match(User_Agent,"mac"),"Macintosh",User_Agent)
OS:Macintosh
| eval OS=if(match(User_Agent,"windows"),"Windows",User_Agent)
OS:mac
Try this!
your search |eval OS = case(match(User_Agent,"mac"), "Macintosh", match(User_Agent,"windows"), "Windows",1==1,User_Agent)
Thank you HiroshiSatoh. This works. Only thing is that I tried to copy-cat the logic for multiple searches and I ran into issues. I'm new to Splunk!
This works for me, thanks!
You're matching on the field User_Agent for patterns like "mac" and windows". So I ask, does the User_Agent field exist on "mac" data? If so, can you please post example?
or you can show us what matches this search maybe?
...|dedup User_Agent | table User_Agent
Sorry I don't understand your question. Are you asking if there is a User_Agent field that contains the literals, 'mac'? If so yes.
Below is a field where with the above code I expect it to be 'Macintosh' because of the literal 'mac' contained in it.
junospulseipad/iphone mozilla/5.0 (ipad; cpu os 9_0_2 like mac os x) applewebkit/601.1.46 (khtml, like gecko) mobile/13a452 junospulse(version-5.0.8.50589)ipad/iphone
Did you try capitalizing the m and w of mac and windows in your match function ?
Sorry, the sample data is raw. In the code I had the sample data all lowercased.
That was my first thought, but he says windows match is working so I asked for a list of User_Agent values.