Splunk Search

Complicated (to me anyways) query.


I have an Apache Access log which I'm searching for any .cgi or .pl file hit with the latest date it's been hit.

Some of the .cgi or .pl do get parameters passed after the question mark (ie test.pl?user=nobody&location=uk). I don't want to capture that information.

So, basically, I'd like to have a table with two columns - cgi/pl name (full path so we ensure we get the right one), and the last time it was hit.

Is that possible?

Tags (2)

Re: Complicated (to me anyways) query.

Super Champion

Should be able to do this with a search like this:

sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)

The uri_path field should contain evertying up to the .pl or .cgi but not any of the args (the stuff after ?)

View solution in original post


Re: Complicated (to me anyways) query.

Splunk Employee
Splunk Employee

In order for Lowell's search to work, your Apache Access log needs to be sourcetyped accesscommon. If it is not (e.g. you are using your own sourcetype), the uripath field need to be defined.