When I do the following search
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] | transaction clientip
I get transactions that include all the requests for .css, .js, .png, etc. I'd like to remove that clutter from the transactions. Being simple-mineded, I tried:
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] | transaction clientip | regex url!="\.(png|css|js|ico)"
But that didn't help. How can I exclude stuff I don't want to see within a transaction?
Thanks -- Peter
Hi Peter,
Filter it out before it gets into the transaction. Something like:
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ]
NOT ( png OR css OR js OR ico) | transaction clientip
If this resolved your issue, please 'accept' the answer by clicking on the outlined check-box to the left of it. Thanks!
Doh! Thanks!
Hi Peter,
Filter it out before it gets into the transaction. Something like:
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ]
NOT ( png OR css OR js OR ico) | transaction clientip