Solved: Re: Understanding command in search

davidsplunk100 · ‎01-11-2018

Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:

sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"

-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio

Thank you!

mayurr98 · ‎01-11-2018

hey @davidsplunk100

1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid

BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.

| - output of before | acts as a input to after pipe i.e. your stats command

stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.

2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action

sourcetype=access_combined - this will retrive events from access_combined

stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values

rename action as Action - it will rename action field as Action

I hope this helps!

View solution in original post

jshekell · ‎03-13-2019

I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked

mayurr98 · ‎01-11-2018