This may have been asked before, but I'm having trouble finding it.
I have weblogs that I've sliced into transactions like this:
sourcetype=access_log | transaction srcip maxspan=15m
I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:
cookie - s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1
So I'd like for this transaction to not appear in my result set.
I've tried this, without success:
sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")
but it still returns the example with 2 cookies in it.
Neither of the suggestions quite got at what I was trying to do.
I ended up doing this instead:
sourcetype="access_log" status=200 | transaction srcip maxspan=15m | nomv cookie | search cookie="-"
This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.
Not sure if there's a better way to have done this....