PAVO TA User Agents Documentation

Provides an external Python lookup that parses User Agents strings.

About PAVO TA User Agents

Author	Aplura, LLC
App Version	1.7.9
App Build	37
Creates an index	False
Implements summarization	No
Summary Indexing	False
Data Model Acceleration	If Enabled
Report Acceleration	False
Splunk Enterprise versions
Platforms	Splunk Enterprise, Splunk Cloud

Scripts and binaries

This App provides the following scripts:

Diag.py	For use with the diag command.
fetch_latest.sample	For grabbing the most recent versions of the libraries.
user_agents.py	This is the lookup command python to parse the user agent.
Utilities.py	This is a supporting python script for use with logging, and other needs.
version.py	This contains the version of the package.
app_properties.py	This contains app properties.

fetch_latest.sample is a bash script that would need to be renamed and have +x added to it in order to be a valid script. This script updates the libraries for on-prem installations.

Lookups

PAVO TA User Agents contains the following lookup files.

• None

Usage

While PAVO TA User Agents does not include lookup files, it is a dynamic lookup.

``` <SPL> | lookup user_agents http_user_agent AS <user agent field> ```

Event Generator

PAVO TA User Agents does not include an event generator.

Acceleration

• Summary Indexing: No

• Data Model Acceleration: No

• Report Acceleration: No

Update latest data

If the need for pulling updated libraries before a re-release of this app, use the following script. This script should be included in bin/ but cannot be included within the app itself due to Splunk AppInspect Restrictions.

#!/bin/bash
# This script will pull down the latest python modules from the upstream
# maintainers using git.  This updates not only the regexes.yaml file, but all
# the python code.
#
# This script is indented to be useful to both end-users simply wanting the
# latest User Agent strings as well as the TA maintainer (or anyone else
# storing their Splunk apps in git) periodically refreshing this content.
#
# Even though uap-core is a submodule of uap-python, to always get the latest
# UA parsing configuration, this script pulls both repos independently.  Since
# the submodule isn't initialize, this doesn't result in duplicate work.
#
#   WARNING: Any local customizations to regexes.yaml will be overwritten.
#
# Author:  Lowell Alleman ([email protected])

cd "$(dirname "${BASH_SOURCE[0]}")" || exit 1
MYNAME=$(basename "${BASH_SOURCE[0]}")
BIN_DIR=$(pwd)
REPOS="$BIN_DIR/repos"

target="$1"
if [[ $target != "local" ]] && [[ $target != "git" ]]
then
    echo "Usage:  $MYNAME  (local|git) " 1>&2
    echo 1>&2
    echo "        Unless you are the TA maintainer, pick 'local'" 1>&2
    exit 1
fi

[[ -x $(command -v git) ]] || { echo "$MYNAME requires 'git'." 1>&2; exit 2; }
[[ -d $REPOS ]] && rm -rf $REPOS
[[ -d $REPOS ]] || mkdir -v "$REPOS"
cd "$REPOS" || exit 1

git clone https://github.com/ua-parser/uap-python.git
git clone https://github.com/ua-parser/uap-core.git

# Confirm that the checkout still contains all the expected folders; If not
# this script will need to be updated to reflect whatever upstream changes.
[[ -d "uap-python/src/ua_parser" ]]  || { echo "Upstream git repo missing 'ua_parser'"; exit 3; }
[[ -f "uap-core/regexes.yaml" ]] || { echo "Upstream git repo missing regexes.yaml'"; exit 3; }

echo "Copying updated python modules into TA-user-agents"
#delete command here incase need to revert, will fail appinspect though -rf "$BIN_DIR/ua_parser" "$BIN_DIR/uap-core"
[[ -d $REPOS ]] || "$BIN_DIR/ua_parser"
[[ -d $REPOS ]] || "$BIN_DIR/uap-core"
# Skip all hidden files
#cp -a "$REPOS"/uap-python/ua_parser/* "$BIN_DIR/ua_parser"
#cp -a "$REPOS"/uap-core/* "$BIN_DIR/uap-core"
cp -R "$REPOS"/uap-python/src/ua_parser/* "$BIN_DIR/ua_parser/"
cp -R "$REPOS"/uap-core/* "$BIN_DIR/uap-core/"

Prerequisites, Installation, and Configuration

Because this App runs on Splunk Enterprise, all the Splunk Enterprise system requirements apply.

Installation and Configuration

Download

Installation Process Overview

• Install the extension.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

• Deploy as you would any App, and restart Splunk.

• Configure.

Deploy to Splunk Cloud

• Have your Splunk Cloud Support handle this installation.

Deploy to a Distributed Environment

• For each Search Head in the environment, deploy a copy of the App.

Support and resources

Questions and answers

Access questions and answers specific to PAVO TA User Agents at https://community.splunk.com. Be sure to tag your question with the App.

Support

• Support Email: [email protected]

• Support Offered: Splunk Answers, Email

Logging

Copy the ``log.cfg`` file from ``default`` to ``local`` and change the settings as needed.

Diagnostics Generation

If a support representative asks for it, a support diagnostic file can be generated. Use the following command to generate the file. Send the resulting file to support.

``$SPLUNK_HOME/bin/splunk diag --collect=app:TA-user-agents``

Known Issues

Version 1.7.9 of PAVO TA User Agents has the following known issues:

• None

Release notes

Version 1.7.9

• Improvement

  • Updated UAP Parser and Core libraries.

  • Confirmed Splunk 10 Compatibility.

Version 1.7.8

• Improvement

  • Removed Perl Scripts that were flagged.

Version 1.7.7

• Improvement

  • Removed Python that was flagged by Upgrade Readiness App.

Version 1.7.5

• Improvement

  • Modified Script for Splunk Cloud compatability.

Version 1.7.4

• Improvement

  • Updated for Python 3 and Splunk 8 compatability

Third Party Notices

Version 1.7.9 of PAVO TA User Agents incorporates the following Third-party software or third-party services.

• ua_parser

• pyyaml