Splunk Search

Exclude search events for a field containing a specific useragent.

bcherdak
New Member

I am attempting to create a sorted count list of useragents that customers are using to browse my website.

I want to exclude certain results and only show events of unknown agents,bots,vulnerability scanners.

Currently I am using the string

index = UV | where NOT like(ad_UserAgent,"%Mozilla%") OR like(ad_UserAgent,"%Opera%") | stats count by ad_UserAgent | sort - count

Is there something I am doing wrong that is still showing events that contain Mozilla and Opera?

thank you for the assistance.

0 Karma

dturnbull_splun
Splunk Employee
Splunk Employee

A more straightforward search might be:

index=UV ad_UserAgent!=*Mozilla* ad_UserAgent!=*Opera* | top limit=0 ad_UserAgent

richgalloway
SplunkTrust
SplunkTrust

Looks like you need some parens. Have you tried ... | where NOT (like(ad_UserAgent,"%Mozilla%") OR like(ad_UserAgent,"%Opera%")) | ... ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...