Hi there, so I had a nice search return but I have a few bits that I don't want in the search. Really all I care about are the HTTP responses of 200 and I don't want to see anything with "WhatsUp/1.0" because that's just noise. Is there a good piece of documentation on this?
Trying to figure out what kind of web traffic is on a really old server that needs to be retired. Also, is there good documentation on this type of practice?
You can remove events from search results by specifying filters, preferably in base search like this
index=foo sourcetype=bar http_status=200 NOT ("WhatsUp/1.0")
You can refer to Splunk search tutorial for more examples.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchTutorial/Usethesearchlanguage
You can remove events from search results by specifying filters, preferably in base search like this
index=foo sourcetype=bar http_status=200 NOT ("WhatsUp/1.0")
You can refer to Splunk search tutorial for more examples.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchTutorial/Usethesearchlanguage
Do you have to specify the source type?
Specifying more metadata field filters (index/host/source/sourcetype etc) in base search can optimize the performance.
Oh I see, it looks like status= not http_status This looks good! Thank you for the documentation!