Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Web Data Model no referrer

jacqu3sy
Path Finder
‎07-10-2017 01:31 AM

Can anyone help with the following please. Im looking to run a tstats query against the Web Data Model but exclude results where a user has been referrered to a destination.

If I run this directly against the index, it runs fine, but returns nothing when running it against the DM.

Query:

| tstats summariesonly count from datamodel=Web where Web.dest=kali AND Web.http_method=POST NOT Web.category="Web Ads/Analytics" NOT Web.http_user_agent="Mozilla/5.0 Zoom.App" NOT Web.http_referrer="*"

The other NOT statements work fine, but the NOT against Web.http_referrer just returns no results. I have tried using != instead of the NOT but I get the same problem.

Any ideas?

Tags (1)
0 Karma
Reply

sheamus69
Communicator
‎02-20-2018 03:14 AM

Looking at your query, I think the issue lies with the fact the the http_referrer field should be populated with something, even if it is "unknown", which I believe is what the datamodel autopopulates into an empty field. The code below should fix that?

| tstats summariesonly count from datamodel=Web where Web.dest=kali AND Web.http_method=POST NOT Web.category="Web Ads/Analytics" NOT Web.http_user_agent="Mozilla/5.0 Zoom.App" NOT Web.http_referrer="unknown"
Reply

jkat54
SplunkTrust
SplunkTrust
‎02-20-2018 05:31 AM

Yeah you could use this search to see too

| tstats values(http_referrer) from datamodel=Web

Reply

sheamus69
Communicator
‎02-20-2018 06:05 AM

Wouldn't that be

| tstats values(Web.http_referrer) from datamodel=Web

?

Reply

jkat54
SplunkTrust
SplunkTrust
‎02-20-2018 06:29 AM

Sure 🙂 ... my phone really doesn’t like it when I try typing that though. Was hoping someone would comment like you did.

0 Karma
Reply

sheamus69
Communicator
‎02-20-2018 03:05 AM

As a tangientially related query, any idea what generates that particular user agent?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-10-2017 03:02 AM

Is the datamodel accelerated? If not, tstats wont work because it only works on indexed fields within tsidx files.

0 Karma
Reply

jacqu3sy
Path Finder
‎07-10-2017 03:10 AM

yes its accelerated. It works fine. The only problem is excluding from the results URL's that people have been referred to.

I only want to see when people have browsed straight to the site in question rather than referrals which produces too much noise.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...