When I do the following search
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] | transaction clientip
I get transactions that include all the requests for .css, .js, .png, etc. I'd like to remove that clutter from the transactions. Being simple-mineded, I tried:
sourcetype="access*" [ search method="POST" |fields clientip | rename clientip as query ] | transaction clientip | regex url!="\.(png|css|js|ico)"
But that didn't help. How can I exclude stuff I don't want to see within a transaction?
Thanks -- Peter
... View more