I needed to extract some browser version information from some Splunk-indexed S3 / Apache access logs today. A quick Google search was unilluminating, so I thought I’d document my own work here.

Rather than delving into the dark arts of defining Splunk extractions and transforms, I figured it would be a good chance to learn about using rex for ad-hoc field extracts while searching. What I’ve come up with is just a quick braindump for now, and only supports a subset of all browsers, but I’ll try to update this snippet as it evolves.

sourcetype="access*"  | 
rex field=useragent "(?<browser>(?<browser_software>(?<browser_version>.*)))" |
rex field=useragent "(?<browser>(?<browser_software>MSIE) (?<browser_version>[0-9.]+));" |
rex field=useragent "(?<browser>(?<browser_software>Firefox)/(?<browser_version>[0-9.]+))" |
rex field=useragent "Version.*(?<browser>(?<browser_software>Safari)/(?<browser_version>[0-9.]+))" |
rex field=useragent "(?<browser>(?<browser_software>Chrome)/(?<browser_version>[0-9.]+))"

The first rex line defaults the browser* fields to the full UA string, and each subsequent rex line extracts the browser information for a particular browser, storing the software name in browser_software, the version in browser_version and the combined result in browser.