| where day_of_week in ("Saturday","Sunday") Use the where operator to match only weekend days. | sum(ie) as ie, sum(firefox) as firefox, sum(safari) as safari, sum(chrome) as chrome | if (agent matches "*Chrome*",1,0) as chrome | if (agent matches "*Safari*",1,0) as safari
| if (agent matches "*Firefox*",1,0) as firefox
KEYWORDS EVERYWHERE PARSE ERROR CODE
| transpose row _timeslice column status_code_groupįor more information, see Timeslice and Transpose.įor the Source Category "apache", find all messages with a client error status code (40*)įor the Source Category "apache", count hits by browser Or alternately you can use: _sourceCategory=Apache/Access
| if (!(status_code matches "20*" or status_code matches "30*" or status_code matches "40*" or status_code matches "50*"),1,0) as resp_others | transpose row _timeslice column status_codeįor the Source Category "apache", count by status_code and timeslice into 5 buckets over search resultįor the Source Category "Apache/Access", count messages by status code categories, grouping all 200s, 300s, 400s, and 500s together. | parse "HTTP/1.1\" * * \"" as (status_code, size)įor the Source Category "apache", count by status_code and timeslice of 1 hour, transpose status_code to column Identify the top 100 source IP addresses by number of hits.įor more information, see Parsing, Count, and Top.įor the Source Category "apache", count by status_code and timeslice of 1 hour Identify the top 10 source IP addresses by bandwidth usage. Identify the total number of pages by source IP address and re-order them by most frequently loaded pages. Identify the total number of pages by source IP address. Identify the number of times a URL has been visited. Identify traffic from Source Category "apache" and extract the source addresses, message sizes, and the URLs visited.įor the Source Category "apache", calculate the total number of bytes transferred to each source IP address.įor the Source Category "apache", calculate the average size of all successful HTTP responses.įor the Source Category "apache", extract src, size, and URL even if the size field is missing from the log message (nodrop). Identify all URL addresses visited, extract them as the "url" field. For example, if a raw event contains "From: Jane To: John", then from=Jane and to=John.Įxtract the source IP addresses using a regular expression for the four octets of an IP address.
0 kommentar(er)
