Splunk Search

Only show transactions that don't contain a certain value

Explorer

This may have been asked before, but I'm having trouble finding it.

I have weblogs that I've sliced into transactions like this:

sourcetype=access_log | transaction srcip maxspan=15m

I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:

cookie
-   
s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1

So I'd like for this transaction to not appear in my result set.

I've tried this, without success:

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")

but it still returns the example with 2 cookies in it.

0 Karma

Explorer

Neither of the suggestions quite got at what I was trying to do.

I ended up doing this instead:

sourcetype="access_log" status=200  | transaction srcip maxspan=15m | nomv cookie | search cookie="-"

This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.

Not sure if there's a better way to have done this....

0 Karma

SplunkTrust
SplunkTrust
 sourcetype=access_log NOT cookie=*
| transaction srcip maxspan=15m
0 Karma

Motivator

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie!= "-")

0 Karma