Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Only show transactions that don't contain a certain value

sfrazer
Explorer
‎08-02-2017 01:11 PM

This may have been asked before, but I'm having trouble finding it.

I have weblogs that I've sliced into transactions like this:

sourcetype=access_log | transaction srcip maxspan=15m

I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:

cookie
-   
s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1

So I'd like for this transaction to not appear in my result set.

I've tried this, without success:

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")

but it still returns the example with 2 cookies in it.

0 Karma
Reply

sfrazer
Explorer
‎08-04-2017 07:49 AM

Neither of the suggestions quite got at what I was trying to do.

I ended up doing this instead:

sourcetype="access_log" status=200  | transaction srcip maxspan=15m | nomv cookie | search cookie="-"

This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.

Not sure if there's a better way to have done this....

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-02-2017 05:11 PM 
 sourcetype=access_log NOT cookie=*
| transaction srcip maxspan=15m
0 Karma
Reply

sbbadri
Motivator
‎08-02-2017 01:40 PM

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie!= "-")

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...