We had a need to understand what type of devices our customers were using; specifically, Apple or Android. We came up with what is below…
host=cmhlpecomweb* sourcetype=access* ("iphone" OR "ipad" OR "android")
| rex mode=sed field=_raw "s/\t/~/g"
| eval tmp=split(_raw,"~")
| eval agent=mvindex(tmp,10)
| eval jsessionid = mvindex(tmp,14)
| rex field=agent "(?[a,A]ndroid)"
| eval device_type=if(agent2!="","android","apple")
| dedup device_type,jsessionid
| stats count as cnt by device_type
This will come up with a list of unique combinations of device and session ID, and then print a count of each distinct device type.