Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction - how to exclude entire transaction based on a keyword

Joshie
New Member
‎06-22-2012 12:51 AM

I have a list of Account ID and URL accessed.
So, for an Account ID, there are many URLs being accessed.

I want to be able to identify Account ID that
1) ONLY access a certain URL (e.g. URL_Type_01)

So, if they have visited other URL then "URL_Type_01", then I would drop the entire Account ID from considerations.

I want to be able to asked "Which Account ID has ONLY view Type 1", and "Which Account ID has NEVER used Type 1".

To "Show Account ID that would access ONLY URL_Type01

e.g. Exclude from transaction/group:
Account_001
URL_Type_01
URL_Type_02

e.g. Exclude from transaction/group:
Account_002
URL_Type_02

e.g. Include in transaction/group:
Account_003
URL_Type 1

Hope I am being clear...

🙂 Many thanks!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-22-2012 07:53 AM

This is hard to figure without a sample and your base transaction search, but here is a idea :

2012-06-22 01:12:12 account=001 blah blah
2012-06-22 01:12:14 account=001 URL_Type=01 
2012-06-22 01:13:15 account=001 URL_Type=02
2012-06-22 01:13:18 account=001 URL_Type=02
2012-06-22 01:19:12 account=002 blah blah
2012-06-22 01:18:12 account=002 URL_Type=02
2012-06-22 01:16:12 account=003 blah blah
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:14 account=003 URL_Type=01
2012-06-22 01:14:15 account=003 URL_Type=01

 * | transaction account | search URL_Type=01 | eval URL_distinct=mvcount(URL_Type) | search URL_distinct=1
0 Karma
Reply

Joshie
New Member
‎06-22-2012 09:22 AM

Thanks yannK. That would work if there are only 2 URL. However, if there are multiple URLs:

URL_Type_03, URL_Type_04, URL_Type_05, URL_Type_06 etc

And we need to identify Account_ID that only access URL_Type_01 AND URL_Type_04, and not others, then the above search won't work then?

Cheers!
Joshie

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...