Users visiting our website use a variety of devices and web browsers. By analyzing the web access logs, we can understand which browsers are the most popular and, therefore, which browsers our site must support at the least. We can also use this same information to help identify the types of devices that people are using.
In this recipe, we will write a Splunk search to find the most used web browsers over a given period of time. We will then make use of both the eval and replace commands to clean up the data a bit.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.
Follow the given steps to search for the most used web browsers:
- Log in to your Splunk server.
- Select the Search & Reporting application.
- Ensure that the time range picker is set to Last 24 hours and type the following search into the Splunk search bar. Then, click on Search or hit Enter.
index=main sourcetype=access_combined | eval browser=useragent | replace *Firefox* with Firefox, *Chrome* with Chrome, *MSIE* with "Internet Explorer", *Version*Safari* with Safari, *Opera* with Opera in browser | top limit=5 useother=t browser
- Splunk will return a tabulated list of the top five most used web browsers on our site, by count and percent.
- Save this search by clicking on Save As and then on Report. Give the report the name
cp02_most_used_webbrowsersand click on Save. On the next screen, click on Continue Editing to return to the search.
Let's break down the search piece by piece:
|
Search fragment |
Description |
|---|---|
|
|
You should now be familiar with this search from the earlier recipes in this chapter. |
|
|
Using the |
|
|
Using the |
|
|
Using the |
In this recipe, we used both the eval and replace commands for illustrative purposes. This approach absolutely works, but a better approach can be to use Splunk's lookup functionality to look up the useragent value and return the browser name and version. Lookups are covered later in this book.
Often, the same field values can be used in different ways to provide additional insight. In this case, the useragent field can be used to inform the types of devices that access our site.
Let's modify the search to display the types of user operating systems that access our website:
index=main sourcetype=access_combined | eval os=useragent | replace *Windows* with Windows, *Macintosh* with Apple, *Linux* with Linux in os | top limit=3 useother=t os
When the search is run, you should see results similar to the following screenshot:
The search is similar, but this time we decided to pull the OS-related information from the useragent field and used it to compare access between major OS types.