Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I check for a URL query parameter NOT being passed

roryhewitt
New Member
‎04-23-2015 04:10 PM

This is a follow-on question to http://answers.splunk.com/answers/228254/how-to-search-the-total-number-of-hits-to-urls-tha.html...

I want to try to find out the number of entries in a log file which contain one parameter but do NOT contain another parameter. The parameters could be in any order.

Basically, I want to be able to differentiate between these URL's:

1. /shop/product/<somevalue>?ID=123456&CategoryID=9876 <-- Both ID and CategoryID passed
2. /shop/product/<somevalue>?CategoryID=9876&ID=123456 <-- Both ID and CategoryID passed (different order)
3. /shop/product/<somevalue>?ID=123456

where I know that ID will always be passed, but where CategoryID is optional and may be before or after ID.

I need a count of type 3 (without CategoryID) to compare with a count of types 1 and 2 combined.

I can easily parse out all the entries that match the /shop/product/* path, but can I do a single subsequent rex/regex to check for existence somewhere in the query string of the CategoryID?

I hope this is clear...

0 Karma
Reply

stephanefotso
Motivator
‎04-23-2015 07:06 PM

Hello! By following the link you gave above, i think you should use this to compare type1, and type2
count(pro_id_TY1) is the count of ID in events where there is no CategoryID, (means the last event in your sample data.)
count(pro_id_TY2) is the count of ID in events where there is a CategoryID (means, the first and the second event in your sample data)

  1. if url is a field in your events, here you go
    ........|rex field=url "^[^&\n]\?ID=(?P\d+$)"|rex field=url "^[^&\n]&ID=(?P\d+)"|rex field=url "^[^&\n]*\?ID=(?P\d+)&Category"|stats count(pro_id_TY1) count(pro_id_TY2)

    1. if url is not a field, means you are working with raw data, here yu go:

    ...|rex field=_raw "^[^&\n]\?ID=(?P\d+$)"|rex field=url "^[^&\n]&ID=(?P\d+)"|rex field=url "^[^&\n]*\?ID=(?P\d+)&Category"|stats count(pro_id_TY1) count(pro_id_TY2)

If anny issue, let me know.
Thanks
Stephane

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...