This technology add-on provides a dynamic lookup to add fields to user agent (browser) data. As user agent string are very difficult to work with, these fields are intended to make working with these events easier.
This data is provided by the Browser Capabilities Project:
http://browscap.org/
Libraries are provided by:
http://pypi.python.org/pypi/pybrowscap/
Some of the additional fields include:
ua_category = The user-agent family (Firefox, Safari, IE, Wget, etc.)
ua_is_crawler = If the UA is a crawler or robot (True, False, unknown)
ua_is_mobile = If the UA is a mobile UA (WAP browser) (True, False, unknown)
ua_is_syndication_reader = If the UA is an RSS reader (True, False, unknown)
ua_name = A name for the UA. In many cases this is family + version
ua_platform = Platform the UA (Linux, MacOSX, Win7, WinXP, etc.)
See the README for more information including all fields and installation.
Additional fields include
- ua_aol_version = AOL Version of the user-agent. If none, 0
- ua_category = The user-agent family (Firefox, Safari, IE, Wget, etc.)
- ua_is_alpha = If the UA is an alpha version (True, False, unknown)
- ua_is_beta = If the UA is a beta version (True, False, unknown)
- ua_is_crawler = If the UA is a crawler or robot (True, False, unknown)
- ua_is_mobile = If the UA is a mobile UA (WAP browser) (True, False, unknown)
- ua_is_syndication_reader = If the UA is an RSS reader (True, False, unknown)
- ua_name = A name for the UA. In many cases this is family + version
- ua_platform = Platform the UA (Linux, MacOSX, Win7, WinXP, etc.)
- ua_supports_activex = If the UA supports ActiveX (True, False, unknown)
- ua_supports_cookies = If the UA supports cookies (True, False, unknown)
- ua_supports_css = If the UA supports CSS (True, False, unknown)
- ua_supports_frames = If the UA supports frames (True, False, unknown)
- ua_supports_iframes = If the UA supports iframes (True, False, unknown)
- ua_supports_java = If the UA supports Java (True, False, unknown)
- ua_supports_javascript = If the UA supports JavaScript (True, False, unknown)
- ua_supports_tables = If the UA supports tables (True, False, unknown)
- ua_supports_vbscript = If the UA supports VBScript (True, False, unknown)
- ua_version = The full version of the UA (1.1)
- ua_version_major = The major version of the UA
- ua_version_minor = The minor version of the UA
Installation
To install:
-
Untar the TA-browscap.tar.gz file in your $SPLUNK_HOME/etc/apps
diectory.
-
Change to the $SPLUNK_HOME/etc/apps/TA-browscap/bin directory
-
Download the browscap.csv file from the project:
wget -O browscap.csv http://browscap.org/stream?q=BrowsCapCSV
-
Restart Splunk.
Usage
To use:
The lookup expects a field named "http_user_agent". In the search bar,
you can run something like:
index=webdata | lookup browscap_lookup http_user_agent
This should produce the additional fields.