Solved: Omit/filter/exclude events from a transaction

pburkholder · ‎06-01-2011

When I do the following search

sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] | transaction clientip

I get transactions that include all the requests for .css, .js, .png, etc. I'd like to remove that clutter from the transactions. Being simple-mineded, I tried:

But that didn't help. How can I exclude stuff I don't want to see within a transaction?

Thanks -- Peter

dwaddle · ‎06-01-2011

Hi Peter,

Filter it out before it gets into the transaction. Something like:

sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] 
NOT ( png OR css OR js OR ico) | transaction clientip

View solution in original post

dwaddle · ‎06-09-2011

If this resolved your issue, please 'accept' the answer by clicking on the outlined check-box to the left of it. Thanks!

pburkholder · ‎06-06-2011

Doh! Thanks!

dwaddle · ‎06-01-2011

Hi Peter,

Filter it out before it gets into the transaction. Something like:

sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] 
NOT ( png OR css OR js OR ico) | transaction clientip

Omit/filter/exclude events from a transaction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life