Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction - how to exclude entire transaction based on a keyword

Joshie
New Member
‎06-22-2012 12:51 AM

I have a list of Account ID and URL accessed.
So, for an Account ID, there are many URLs being accessed.

I want to be able to identify Account ID that
1) ONLY access a certain URL (e.g. URL_Type_01)

So, if they have visited other URL then "URL_Type_01", then I would drop the entire Account ID from considerations.

I want to be able to asked "Which Account ID has ONLY view Type 1", and "Which Account ID has NEVER used Type 1".

To "Show Account ID that would access ONLY URL_Type01

e.g. Exclude from transaction/group:
Account_001
URL_Type_01
URL_Type_02

e.g. Exclude from transaction/group:
Account_002
URL_Type_02

e.g. Include in transaction/group:
Account_003
URL_Type 1

Hope I am being clear...

🙂 Many thanks!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-22-2012 07:53 AM

This is hard to figure without a sample and your base transaction search, but here is a idea :

2012-06-22 01:12:12 account=001 blah blah
2012-06-22 01:12:14 account=001 URL_Type=01 
2012-06-22 01:13:15 account=001 URL_Type=02
2012-06-22 01:13:18 account=001 URL_Type=02
2012-06-22 01:19:12 account=002 blah blah
2012-06-22 01:18:12 account=002 URL_Type=02
2012-06-22 01:16:12 account=003 blah blah
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:14 account=003 URL_Type=01
2012-06-22 01:14:15 account=003 URL_Type=01

 * | transaction account | search URL_Type=01 | eval URL_distinct=mvcount(URL_Type) | search URL_distinct=1
0 Karma
Reply

Joshie
New Member
‎06-22-2012 09:22 AM

Thanks yannK. That would work if there are only 2 URL. However, if there are multiple URLs:

URL_Type_03, URL_Type_04, URL_Type_05, URL_Type_06 etc

And we need to identify Account_ID that only access URL_Type_01 AND URL_Type_04, and not others, then the above search won't work then?

Cheers!
Joshie

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...