This TA provides and external Python lookup that parses User Agents strings, such as those found in Web or Proxy logs.
1. Untar the tarball file in your $SPLUNK_HOME/etc/apps
2. Restart Splunk.
The lookup expects a field in the events (http_user_agent). Once that field exists (via extractions, alias or rename). Once that field exists, you can use it in a lookup command, as such:
index=web_proxy | lookup user_agents http_user_agent
The lookup will output the following fields:
* ua_os_family: The name of the client OS.
* ua_os_major: The major version of the client OS.
* ua_os_minor: The minor version of the client OS.
* ua_os_patch: The patch version of the client OS.
* ua_os_patch_minor: The minor patch version of the client OS.
* ua_family: The name of the UA ("Firefox", "IE")
* ua_major: The major version of the UA.
* ua_minor: The minor version of the UA.
* ua_patch: The patch version of the UA
* ua_device: The type of device used in the event.
To add your own user agents, you can use the YAML file in TA-user-agents/bin/ua_parser/ named regexes.yaml.
Support is on a best-effort basis. Need help? Use the Splunk community resources! I can be found on many of them:
The git repo for this app is located here.
This TA uses a Python module from:
* Updated Python modules to latest available
* Will be repackaged without the fetch_latest script for Splunkbase and install in Splunk Cloud
* Updated README.md
* Added UPDATING.md with information about the script
* Changed to use MIT license
* Fix my mistake with a PR
* Created script to automate the upgrading of the latest versions of ua-parser
* Imported the latest version of Python libraries ua-parser and PyYAML
* Thanks to Lowell Alleman for contributing these!
* Updated to the latest version of the ua-parser
* Changed URL for the ua-parser to the new project page
* Added app icons
Updated the data file (regexes.yaml)
Removed pyc files for use in Splunk Cloud
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.