I am trying to identify which source types produce data with the same log format. Currently, I am using this query to show the highest percentage log pattern for access logs in my domain:
sourcetype=*access*| cluster t=.7 labelonly=t | findkeywords labelfield=cluster_label | table sampleEvent percentInInputGroup| sort - percentInInputGroup |top limit=10 percentInInputGroup
How do I show which source types are being used to produce logs in that pattern group?
Am I approaching this the correct way?
@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype
hope it helps
@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype
hope it helps
Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events.