host=server sourcetype=iis #Software NOT #Fields NOT /favicon.ico
(method=GET OR method=POST) NOT eventtype="web-imagefile"
| fillnull
| stats count first(_time) last(_time) by user,src_ip,uri_stem
I am trying to approach organizing/filtering the uri_stem results to return just the information that seems useful. I see functions for eval and command but am not sure of the best way to approach.
Thanks!
Hint : You may need to use rex field extractions functions or eval functions (like case) to filter your uri_stem and normalize them.
see http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Rex
If you want help, please provide a sample and a clear idea of the expected result.
to see them
uri_stem=*/fraud*"
to exclude them
NOT uri_stem=*/fraud*"
/fraudintro.html
/fraudmenu.htm
/fraudpost.asp
/fraudview.asp
Out of the results I am getting in the uri_stem column, I would like to learn the ability to either see just these result or completely exclude them.