Complicated (to me anyways) query.

Question

I have an Apache Access log which I'm searching for any .cgi or .pl file hit with the latest date it's been hit.

Some of the .cgi or .pl do get parameters passed after the question mark (ie test.pl?user=nobody&location=uk). I don't want to capture that information.

So, basically, I'd like to have a table with two columns - cgi/pl name (full path so we ensure we get the right one), and the last time it was hit.

Is that possible?

Accepted Answer

2

Should be able to do this with a search like this:

sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)

The uri_path field should contain evertying up to the .pl or .cgi but not any of the args (the stuff after ?)

link

answered 09 Jul '10, 20:06

Lowell ♦
9.6k●6●37
accept rate: 40%

1

In order for Lowell's search to work, your Apache Access log needs to be sourcetyped access_common. If it is not (e.g. you are using your own sourcetype), the uri_path field need to be defined.

(12 Jul '10, 21:05) hulahoop ♦

Complicated (to me anyways) query.

Follow this question

Splunk Resources

Related questions