Only show transactions that don't contain a certai...

sfrazer · ‎08-02-2017

This may have been asked before, but I'm having trouble finding it.

I have weblogs that I've sliced into transactions like this:

sourcetype=access_log | transaction srcip maxspan=15m

I'm looking for entries that NEVER have a cookie set. In a transaction where a cookie is set I have 2 or more values for cookies, I see this in the cookie field:

cookie
-   
s_vi=[CS]v1|00000000000000-00000000000[CE]; _gat_UA-00000000=1

So I'd like for this transaction to not appear in my result set.

I've tried this, without success:

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie = "-")

but it still returns the example with 2 cookies in it.

sfrazer · ‎08-04-2017

Neither of the suggestions quite got at what I was trying to do.

I ended up doing this instead:

sourcetype="access_log" status=200  | transaction srcip maxspan=15m | nomv cookie | search cookie="-"

This collapsed the separate cookie variables into one cookie field which I then inspect to see if it had more than a blank entry (our web server records "no cookie" as "-") and discard everything that's ever had a cookie.

Not sure if there's a better way to have done this....

jkat54 · ‎08-02-2017

 sourcetype=access_log NOT cookie=*
| transaction srcip maxspan=15m

sbbadri · ‎08-02-2017

sourcetype=access_log | transaction srcip maxspan=15m | where (cookie!= "-")

Only show transactions that don't contain a certain value

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...