Fingerprint to get the last out of user_agent

Hi i have now nearly finished the parsing of my nginx access logfile.

This line is the "user_agent" field. I parse with my filter already different stuff out of that.

Chrome example:

"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"

Android example:

"Mozilla/5.0 (Linux; Android 10; Pixel 3)

I want to use fingerprint or something to get the version (Android 10 or 10.0) and if possible I want to have in seperate field "Pixel" or "Win64".

Filters:

if [event][module] == "nginx" {
if [fileset][name] == "access" {
mutate {
add_tag => ["anginx", "Anginx"]
}
if "anginx" in [tags] {
grok {
match => { "message" => "%{HTTPD_COMMONLOG} %{QS:referrer} %{QS:user_agent}" }
# remove_field => "message"
}
mutate {
gsub => [ "referrer", '^"', '', "referrer", '"$', '' ]
}
mutate {
gsub => [ "user_agent", '^"', '', "user_agent", '"$', '' ]
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[user_agent]"
target => "[ua_parsed]"
add_tag => ["ua_parsed"]
# remove_field => "[nginx][access][user_agent]"
}
if ([user_agent]) {
mutate { add_field => { "[http][product]" => "%{[user_agent]}" } }
mutate { gsub => [ "[http][product]", "(.)", " "] }
mutate { add_field => { "[http][product_version]" => "%{[http][product]}" } }
mutate { split => [ "[http][product]", " " ] }
mutate { gsub => [ "[http][product]", "/.", ""] }
mutate { split => [ "[http][product_version]", " " ] }
}

Pase of a whole Json parsed from Kibana:

https://pastebin.com/M3J8p76S

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.