Hi,
In another thread i have asked about if there is a way to identify if a particular cookie not being sent at all in the request. i got the below answer.
Is there a field like cookie= available? if so, look for "cookie=*" to get all answers with "cookie=" in the event. Then you can check " ...| eval isnull(cookie)" to see what entries have nothing set for cookie.
we ran a test to see how splunk displays when we don't send a cookie at all. We sent three HTTP requests, (1) Cookie=WEB (2) Cookie= (3) no Cookie. For #2 and #3 both of these result in the same result of "-".
So how do we find if the cookie is not sent or if the cookie is sent but no value in splunk.
The "-" is inserted by web logger as a place holder when there is no value.
Splunk puts the "-" in the field because that is what is in the log. Splunk will have no way of differentiating between cookie=null and no cookie.
The "-" is inserted by web logger as a place holder when there is no value.
Splunk puts the "-" in the field because that is what is in the log. Splunk will have no way of differentiating between cookie=null and no cookie.
Thank you.