Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:
-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio
Thank you!
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid
- this will retrive events from cisco_wsa_squid
BLOCK
- you will get all the events from sourcetype=cisco_wsa_squid
that contains BLOCK
keyword.
|
- output of before |
acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name
- The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK
keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined
- this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action
- it will give you the total count of action
field average price
and sum of price
from the retrived events of access_combined
distributed by action values
rename action as Action
- it will rename action field
as Action
I hope this helps!
I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid
- this will retrive events from cisco_wsa_squid
BLOCK
- you will get all the events from sourcetype=cisco_wsa_squid
that contains BLOCK
keyword.
|
- output of before |
acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name
- The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK
keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined
- this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action
- it will give you the total count of action
field average price
and sum of price
from the retrived events of access_combined
distributed by action values
rename action as Action
- it will rename action field
as Action
I hope this helps!
Perfect... Really Good.