I have certain queries like:
www.google.com/?point=1&abc=
www.google.com/?point=1&abc=an123asd
www.google.com/?point=1&abc=
www.google.com/?point=1&abc=
www.google.com/?point=1&abc=asd12t08d
www.google.com/?point=1&abc=08sasd32
and I want the Splunk search to search for only:
www.google.com/?point=1&abc=
www.google.com/?point=1&abc=
www.google.com/?point=1&abc=
By default, Splunk would have extracted these as fields. You can search for something like this index=xyz NOT abc=*
. If these fields are not extracted by default, you could extract them like this..
base search | extract pairdelim="&" kvdelim="=" | where isnull(abc) OR len(abc)<1
By default, Splunk would have extracted these as fields. You can search for something like this index=xyz NOT abc=*
. If these fields are not extracted by default, you could extract them like this..
base search | extract pairdelim="&" kvdelim="=" | where isnull(abc) OR len(abc)<1