Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Only show transactions that don't contain a certain value

sfrazer
Explorer
‎08-02-2017 01:11 PM

This may have been asked before, but I'm having trouble finding it.

I have weblogs that I've sliced into transactions like this:

sourcetype=access_log | transaction srcip maxspan=15m

I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:

cookie
-   
s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1

So I'd like for this transaction to not appear in my result set.

I've tried this, without success:

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")

but it still returns the example with 2 cookies in it.

0 Karma
Reply

sfrazer
Explorer
‎08-04-2017 07:49 AM

Neither of the suggestions quite got at what I was trying to do.

I ended up doing this instead:

sourcetype="access_log" status=200  | transaction srcip maxspan=15m | nomv cookie | search cookie="-"

This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.

Not sure if there's a better way to have done this....

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-02-2017 05:11 PM 
 sourcetype=access_log NOT cookie=*
| transaction srcip maxspan=15m
0 Karma
Reply

sbbadri
Motivator
‎08-02-2017 01:40 PM

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie!= "-")

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...