It seems simple but somehow the answer escapes me. I have Apache http access logs and I want to look for source IPs that produced the highest number of HTTP response codes, methods, etc.
E.g. 10.10.10.10 only used GET, while 22.214.171.124 used GET, POST, PUT, etc on my webserver. You can see where I am going with this.
So, what kinda query would do it?
asked 31 May '11, 17:11
In addition to what lguinn posted, this
is fairly explicit.
answered 31 May '11, 19:44
Here are two examples of what you asked for --
Most number of methods used, not counting duplicates
Most number of unique pages visited
But here are variations that might be more useful --
Finally, take it to the next level by clicking the "Build Report" button and making a graph or chart of the results!
answered 31 May '11, 17:35
In the end, I ended us using these:
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, method | stats count by clientip | sort -count
sourcetype="access_combined_wcookie" OR sourcetype="access_combined" | stats count by clientip, status | stats count by clientip | sort -count
with GREAT results that led me to some fun web mayhem that was happening.
Thanks a lot to all involved :-)
answered 01 Jun '11, 16:06