Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Web Data Model no referrer

jacqu3sy
Path Finder
‎07-10-2017 01:31 AM

Can anyone help with the following please. Im looking to run a tstats query against the Web Data Model but exclude results where a user has been referrered to a destination.

If I run this directly against the index, it runs fine, but returns nothing when running it against the DM.

Query:

| tstats summariesonly count from datamodel=Web where Web.dest=kali AND Web.http_method=POST NOT Web.category="Web Ads/Analytics" NOT Web.http_user_agent="Mozilla/5.0 Zoom.App" NOT Web.http_referrer="*"

The other NOT statements work fine, but the NOT against Web.http_referrer just returns no results. I have tried using != instead of the NOT but I get the same problem.

Any ideas?

Tags (1)
0 Karma
Reply

sheamus69
Communicator
‎02-20-2018 03:14 AM

Looking at your query, I think the issue lies with the fact the the http_referrer field should be populated with something, even if it is "unknown", which I believe is what the datamodel autopopulates into an empty field. The code below should fix that?

| tstats summariesonly count from datamodel=Web where Web.dest=kali AND Web.http_method=POST NOT Web.category="Web Ads/Analytics" NOT Web.http_user_agent="Mozilla/5.0 Zoom.App" NOT Web.http_referrer="unknown"
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-20-2018 05:31 AM

Yeah you could use this search to see too

| tstats values(http_referrer) from datamodel=Web

Reply

sheamus69
Communicator
‎02-20-2018 06:05 AM

Wouldn't that be

| tstats values(Web.http_referrer) from datamodel=Web

?

Reply

jkat54
SplunkTrust
SplunkTrust
‎02-20-2018 06:29 AM

Sure 🙂 ... my phone really doesn’t like it when I try typing that though. Was hoping someone would comment like you did.

0 Karma
Reply

sheamus69
Communicator
‎02-20-2018 03:05 AM

As a tangientially related query, any idea what generates that particular user agent?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-10-2017 03:02 AM

Is the datamodel accelerated? If not, tstats wont work because it only works on indexed fields within tsidx files.

0 Karma
Reply

jacqu3sy
Path Finder
‎07-10-2017 03:10 AM

yes its accelerated. It works fine. The only problem is excluding from the results URL's that people have been referred to.

I only want to see when people have browsed straight to the site in question rather than referrals which produces too much noise.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...