Splunk Search

Only show transactions that don't contain a certain value

sfrazer
Explorer

This may have been asked before, but I'm having trouble finding it.

I have weblogs that I've sliced into transactions like this:

sourcetype=access_log | transaction srcip maxspan=15m

I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:

cookie
-   
s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1

So I'd like for this transaction to not appear in my result set.

I've tried this, without success:

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")

but it still returns the example with 2 cookies in it.

0 Karma

sfrazer
Explorer

Neither of the suggestions quite got at what I was trying to do.

I ended up doing this instead:

sourcetype="access_log" status=200  | transaction srcip maxspan=15m | nomv cookie | search cookie="-"

This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.

Not sure if there's a better way to have done this....

0 Karma

jkat54
SplunkTrust
SplunkTrust
 sourcetype=access_log NOT cookie=*
| transaction srcip maxspan=15m
0 Karma

sbbadri
Motivator

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie!= "-")

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...