Solved: Complicated (to me anyways) query.

Brian_Osburn · ‎07-09-2010

I have an Apache Access log which I'm searching for any .cgi or .pl file hit with the latest date it's been hit.

Some of the .cgi or .pl do get parameters passed after the question mark (ie test.pl?user=nobody&location=uk). I don't want to capture that information.

So, basically, I'd like to have a table with two columns - cgi/pl name (full path so we ensure we get the right one), and the last time it was hit.

Is that possible?

Lowell · ‎07-09-2010

Should be able to do this with a search like this:

sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)

The uri_path field should contain evertying up to the .pl or .cgi but not any of the args (the stuff after ?)

View solution in original post

Lowell · ‎07-09-2010

Should be able to do this with a search like this:

sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)

The uri_path field should contain evertying up to the .pl or .cgi but not any of the args (the stuff after ?)

hulahoop · ‎07-12-2010

In order for Lowell's search to work, your Apache Access log needs to be sourcetyped access_common. If it is not (e.g. you are using your own sourcetype), the uri_path field need to be defined.

Complicated (to me anyways) query.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life