Splunk query help - query for URL that have values...

Splunkanator · ‎01-26-2024

Lets say i would like to query for message that has a URL field with values other than X,Y,Z added as query parameters , how do i go about this ?

TIA

tscroggins · ‎01-27-2024

If your events have an extracted uri_query field, which is typical for e.g. NCSA and W3C log formats, you can use != or NOT to exclude events:

index=main sourcetype=access_common uri_query!=*param=X* uri_query!=*param=Y* uri_query!=*param=Z*

or

index=main sourcetype=access_common NOT uri_query IN (*param=X* *param=Y* *param=Z*)

However, those will exclude events with partially matching names or values.

Performance will vary, but you can use the regex command to match events with fields that do no match a regular expression:

index=main sourcetype=access_common
| regex uri_query!="(^|&)param=(X|Y|Z)(&|$)"

kamlesh_vaghela · ‎01-26-2024

Can you please share some sample events and expected output?

KV

Splunk query help - query for URL that have values other than X,Y,Z