Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction - how to exclude entire transaction based on a keyword

Joshie
New Member
‎06-22-2012 12:51 AM

I have a list of Account ID and URL accessed.
So, for an Account ID, there are many URLs being accessed.

I want to be able to identify Account ID that
1) ONLY access a certain URL (e.g. URL_Type_01)

So, if they have visited other URL then "URL_Type_01", then I would drop the entire Account ID from considerations.

I want to be able to asked "Which Account ID has ONLY view Type 1", and "Which Account ID has NEVER used Type 1".

To "Show Account ID that would access ONLY URL_Type01

e.g. Exclude from transaction/group:
Account_001
URL_Type_01
URL_Type_02

e.g. Exclude from transaction/group:
Account_002
URL_Type_02

e.g. Include in transaction/group:
Account_003
URL_Type 1

Hope I am being clear...

🙂 Many thanks!

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-22-2012 07:53 AM

This is hard to figure without a sample and your base transaction search, but here is a idea :

2012-06-22 01:12:12 account=001 blah blah
2012-06-22 01:12:14 account=001 URL_Type=01 
2012-06-22 01:13:15 account=001 URL_Type=02
2012-06-22 01:13:18 account=001 URL_Type=02
2012-06-22 01:19:12 account=002 blah blah
2012-06-22 01:18:12 account=002 URL_Type=02
2012-06-22 01:16:12 account=003 blah blah
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:12 account=003 URL_Type=01
2012-06-22 01:14:14 account=003 URL_Type=01
2012-06-22 01:14:15 account=003 URL_Type=01

 * | transaction account | search URL_Type=01 | eval URL_distinct=mvcount(URL_Type) | search URL_distinct=1
0 Karma
Reply

Joshie
New Member
‎06-22-2012 09:22 AM

Thanks yannK. That would work if there are only 2 URL. However, if there are multiple URLs:

URL_Type_03, URL_Type_04, URL_Type_05, URL_Type_06 etc

And we need to identify Account_ID that only access URL_Type_01 AND URL_Type_04, and not others, then the above search won't work then?

Cheers!
Joshie

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...