This TA provides and external Python lookup that parses User Agents strings, such as those found in Web or Proxy logs.
1. Untar the tarball file in your $SPLUNK_HOME/etc/apps
2. Restart Splunk.
The lookup expects a field in the events (http_user_agent). Once that field exists (via extractions, alias or rename). Once that field exists, you can use it in a lookup command, as such:
index=web_proxy | lookup user_agents http_user_agent
The lookup will output the following fields:
* ua_os_family: The name of the client OS.
* ua_os_major: The major version of the client OS.
* ua_os_minor: The minor version of the client OS.
* ua_os_patch: The patch version of the client OS.
* ua_os_patch_minor: The minor patch version of the client OS.
* ua_family: The name of the UA ("Firefox", "IE")
* ua_major: The major version of the UA.
* ua_minor: The minor version of the UA.
* ua_patch: The patch version of the UA
* ua_device: The type of device used in the event.
To add your own user agents, you can use the YAML file in TA-user-agents/bin/ua_parser/ named regexes.yaml.
Support is on a best-effort basis. Need help? Use the Splunk community resources! I can be found on many of them:
This TA uses a Python module from:
Removed binary script for Splunk Cloud compatibility.
Python3 Compatible for Splunk 8
Updated the data file (regexes.yaml)
Removed pyc files for use in Splunk Cloud
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.