First of all, I'm a noob with Splunk and I started doing the fundamentals training.
I'm at the logical operators module, and the following question arise from there.
I have http request events that I want to filter out based on whether or not a request header key exists, in my case request.headers.bot. The value of this field does not matter. This field only exists for requests flagged as bots. Regular requests will not have this field.
event:
{
id: 123
request: {
headers: {
cookie: "key=value; something=else;"
user-agent: "Mozilla/5.0"
bot: "yes"
}
path: "/"
}
time: 2019-07-16T18:08:59.980Z
}
so, I'm running a search query to find out how many events are not bots:
before the training I had something like this:
request.path="/" | where isnull('request.headers.bot')
but, while doing the training, I found out you could also do:
request.path="/" NOT request.headers.bot="*"
according to the training video, NOT returns events where the field does not exist or does not have the value specified
However, for the same period of time, I'm getting different results:
total events: 4000
isnull: 3778
not: 3798
shouldn't both queries return the same events?
also, is there a query that I can use to find the missing 20 events between the first and second query?
thanks!
... View more