I am quite knew to this and not remotely wedded to eval as the solution for this problem, I am eager to know if there is a better way to do this.
I am currently using this query:
index=cpdata | eval ua = case(
match(userAgent, "MSIE"), "Windows",
match(userAgent, "Windows"), "Windows",
match(userAgent, "Android"), "Android",
match(userAgent, "BlackBerry"), "BlackBerry",
match(userAgent, "like Mac OS X"), "iOS"
) | chart count by ua | sort by count | reverse
Which is successfully giving me what I expect to see.. I want to create a further case of 'Other' where anything that doesn't match is counted though. I have not managed to do this.
↧