Users visiting our website use a variety of devices and web browsers. By analyzing the web access logs, we can understand which browsers are the most popular and, therefore, which browsers our site must support at the least. We can also use this same information to help identify the types of devices that people are using.
In this recipe, we will write a Splunk search to find the most used web browsers over a given period of time. We will then make use of both the eval
and replace
commands to clean up the data a bit.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.
Follow the given steps to search for the most used web browsers:
index=main sourcetype=access_combined | eval browser=useragent | replace *Firefox* with Firefox, *Chrome* with Chrome, *MSIE* with "Internet Explorer", *Version*Safari* with Safari, *Opera* with Opera in browser | top limit=5 useother=t browser
cp02_most_used_webbrowsers
and click on Save. On the next screen, click on Continue Editing to return to the search.Let's break down the search piece by piece:
Search fragment |
Description |
---|---|
|
You should now be familiar with this search from the earlier recipes in this chapter. |
|
Using the |
|
Using the |
|
Using the |
In this recipe, we used both the eval
and replace
commands for illustrative purposes. This approach absolutely works, but a better approach can be to use Splunk's lookup functionality to look up the useragent
value and return the browser name and version. Lookups are covered later in this book.
Often, the same field values can be used in different ways to provide additional insight. In this case, the useragent
field can be used to inform the types of devices that access our site.
Let's modify the search to display the types of user operating systems that access our website:
index=main sourcetype=access_combined | eval os=useragent | replace *Windows* with Windows, *Macintosh* with Apple, *Linux* with Linux in os | top limit=3 useother=t os
When the search is run, you should see results similar to the following screenshot:
The search is similar, but this time we decided to pull the OS-related information from the useragent
field and used it to compare access between major OS types.
3.22.248.208