Good morning, I need to know what the exact search command is in order to see this parameter: Enter a search that returns all web application events that
contain a prohibited status (403)
Hi @DANITO115,
did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)?
Anyway, this depends on the data type you want to search and if you already extracted the status field.
If you already extracted, you could simply use:
index=your_index status=403
if not, you have to extract it using a regex, but to help you in this a sample of your logs is required.
Otherwise, you can simply search the string 403
index=your_index 403
but you could have some false positive:
Ciao.
Giuseppe
ty This command help me a lot
Hi @DANITO115,
did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)?
Anyway, this depends on the data type you want to search and if you already extracted the status field.
If you already extracted, you could simply use:
index=your_index status=403
if not, you have to extract it using a regex, but to help you in this a sample of your logs is required.
Otherwise, you can simply search the string 403
index=your_index 403
but you could have some false positive:
Ciao.
Giuseppe