Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk query to retrieve logs containing empty query_string

super_edition
Path Finder
‎02-25-2024 12:49 AM

Hello team

Below are my splunk logs:

{
body_bytes_sent: 0
bytes_sent: 0
host: nice_host
http_content_type: -
http_referer: -
http_user_agent: -
kong_request_id: 8853b73ffef1c5522b4a383c286c825e
log_type: kong
query_string: -
remote_addr: 10.138.100.153
request_id: 93258e0bc529fa9844e0fd2d69168d0f
request_length: 1350
request_method: GET
request_time: 0.162
scheme: https
server_addr: 10.138.100.151
server_protocol: HTTP/1.1
status: 499
time_local: 25/Feb/2024:05:11:24 +0000
upstream_addr: 10.138.103.157:8080
upstream_host: nice_host
upstream_response_time: 0.000
uri: /v1/d5a413b6-7d00-4874-b706-17b15b7a140b
}

 

{
body_bytes_sent: 0
bytes_sent: 0
host: nice_host
http_content_type: -
http_referer: -
http_user_agent: -
kong_request_id: 89cea871feba9f2d5216856f7a884223
log_type: kong
query_string: productType=ALL
remote_addr: 10.138.100.214
request_id: 9dbf69defb49a3595cf1040e6ab5d4f2
request_length: 1366
request_method: GET
request_time: 0.167
scheme: https
server_addr: 10.138.100.151
server_protocol: HTTP/1.1
status: 499
time_local: 25/Feb/2024:05:11:24 +0000
upstream_addr: 10.138.98.140:8080
upstream_host: nice_host
upstream_response_time: 0.000
uri: /v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267
}

From the above, I want to extract the request_time and upstream_response_time from the log event for the uri "/v1/*" which has query_string is empty(-)

I tried the below search query, but it returns result containing query_string as empty and with values(productType=ALL)

index="my_indexx"
| spath host | search host="nice_host"
| eval Operations=case(
searchmatch("GET query_string: - /v1/*"),"getCart")
| stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations
| eval avg_request_time=round(avg_request_time,2)
| eval avg_upstreamTime=round(avg_upstreamTime,2)


index="ek_cloud_k8sdta_digital_platforms_kong"
| spath host | search host="shopping-carts-service-oxygen-dev.apps.stg01.digitalplatforms.aws.emirates.dev"
| eval Operations=case(
match(_raw, "/v1/[^/ ?]"),"getCart")
| stats avg(request_time) as avg_request_time avg(upstream_response_time) as avg_upstreamTime perc90(request_time) as 90_request_time perc90(upstream_response_time) as 90_upstreamResponseTime by Operations
| eval avg_request_time=round(avg_request_time,2)
| eval avg_upstreamTime=round(avg_upstreamTime,2)

Can someone help on this.

Labels (3)
Labels
0 Karma
Reply

tscroggins
Influencer
‎02-25-2024 09:13 AM

Hi,

Can you provide a sample of the raw data? It's probably JSON assuming what you've posted is from Splunk's "List" view. The spath command in your search also expects _raw (by default) to be JSON. If that's the case, the fields aren't empty. They have a literal hyphen as their value. For example:

{"body_bytes_sent": "0", "bytes_sent": "0", "host": "nice_host", "http_content_type": "-", "http_referer": "-", "http_user_agent": "-", "kong_request_id": "8853b73ffef1c5522b4a383c286c825e", "log_type": "kong", "query_string": "-", "remote_addr": "10.138.100.153", "request_id": "93258e0bc529fa9844e0fd2d69168d0f", "request_length": "1350", "request_method": "GET", "request_time": "0.162", "scheme": "https", "server_addr": "10.138.100.151", "server_protocol": "HTTP/1.1", "status": "499", "time_local": "25/Feb/2024:05:11:24 +0000", "upstream_addr": "10.138.103.157:8080", "upstream_host": "nice_host", "upstream_response_time": "0.000", "uri": "/v1/d5a413b6-7d00-4874-b706-17b15b7a140b"}
{"body_bytes_sent": "0", "bytes_sent": "0", "host": "nice_host", "http_content_type": "-", "http_referer": "-", "http_user_agent": "-", "kong_request_id": "89cea871feba9f2d5216856f7a884223", "log_type": "kong", "query_string": "productType=ALL", "remote_addr": "10.138.100.214", "request_id": "9dbf69defb49a3595cf1040e6ab5d4f2", "request_length": "1366", "request_method": "GET", "request_time": "0.167", "scheme": "https", "server_addr": "10.138.100.151", "server_protocol": "HTTP/1.1", "status": "499", "time_local": "25/Feb/2024:05:11:24 +0000", "upstream_addr": "10.138.98.140:8080", "upstream_host": "nice_host", "upstream_response_time": "0.000", "uri": "/v1/a8b7570f-d0af-4d0d-bd6d-f6cf31892267"}

You can search for the literal value directly:

query_string=-

or

query_string="-"

There is a caveat: the hyphen is a minor breaker and isn't indexed by Splunk as a term. All events will be returned initially, the query_string field will be extracted, and its value will be scanned for a hyphen to filter results.

If your JSON fields aren't auto-extracted, we can investigate your inputs.conf and props.conf settings.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...