Splunk Search

Transaction - how to exclude entire transaction based on a keyword

New Member

I have a list of Account ID and URL accessed.
So, for an Account ID, there are many URLs being accessed.

I want to be able to identify Account ID that
1) ONLY access a certain URL (e.g. URL_Type_01)

So, if they have visited other URL then "URL_Type_01", then I would drop the entire Account ID from considerations.

I want to be able to asked "Which Account ID has ONLY view Type 1", and "Which Account ID has NEVER used Type 1".

To "Show Account ID that would access ONLY URL_Type01

e.g. Exclude from transaction/group:

e.g. Exclude from transaction/group:

e.g. Include in transaction/group:
URL_Type 1

Hope I am being clear...

🙂 Many thanks!

0 Karma

Splunk Employee
Splunk Employee

This is hard to figure without a sample and your base transaction search, but here is a idea :

2012-06-22 01:12:12 account=001 blah blah
2012-06-22 01:12:14 account=001 URL_Type=01 
2012-06-22 01:13:15 account=001 URL_Type=02
2012-06-22 01:13:18 account=001 URL_Type=02
2012-06-22 01:19:12 account=002 blah blah
2012-06-22 01:18:12 account=002 URL_Type=02
2012-06-22 01:16:12 account=003 blah blah
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:14 account=003 URL_Type=01
2012-06-22 01:14:15 account=003 URL_Type=01
 * | transaction account | search URL_Type=01 | eval URL_distinct=mvcount(URL_Type) | search URL_distinct=1 
0 Karma

New Member

Thanks yannK. That would work if there are only 2 URL. However, if there are multiple URLs:

URL_Type_03, URL_Type_04, URL_Type_05, URL_Type_06 etc

And we need to identify Account_ID that only access URL_Type_01 AND URL_Type_04, and not others, then the above search won't work then?


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!