index=* host=* |where (NOT cidrmatch(“10.0.0.0/8”,dst) AND NOT cidrmatch(“172.16.40.0/24”,dst)) | top dst
top clientip|fields clientip count |rename clientip as “攻击源” |rename count as “攻击次数” (删除最后一个percent百分比字段)
top clientip|fields – percent |rename clientip as “攻击源” |rename count as “攻击次数” | fields
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″ | table _time,clientip,status
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″ | table _time,clientip,status|sort -clientip,+status
stats count() :括号中可以插入字段,主要作用对事件进行计数
stats dc():distinct count,去重之后对唯一值进行统计
stats values(),去重复后列出括号中的字段内容
stats list(),未去重之后列出括号指定字段的内容
stats avg(),求平均值
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″|stats count(clientip)
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” |stats dc(clientip)
index=”tutorialdata” sourcetype=”access_combined_wcookie” |stats values(host) as “主机列表”
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” |stats list(host)
用于制作图表的表格输出中返回结果。
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | chart count by host
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | timechart count by host
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | timechart span=8h count by host
index=”tutorialdata” sourcetype=”access_combined_wcookie” “action=purchase” status=200 clientip=”87.194.216.51″|stats count dc(productId),values(productId) by clientip
(搜成功购买,状态为200,IP为:87.194.216.51,统计购买产品的数量,并且去重复地列出具体的名称,最后通过clientip排序显示)
… |where (NOT cidrmatch(“10.52.0.0/24”,ipfield) AND NOT cidrmatch(“10.52.40.0/24″,ipfield))|table ipfield
#统计4xx和5xx事件数
index=”apachedata” sourcetype=”access_combined_wcookie” status > 200 | stats count by status
统计4xx和5xx事件的时间趋势图(折线图、面积图、柱状图) ,可视化为line chart图形
index=”apachedata” sourcetype=”access_combined_wcookie” status>200 | timechart count by status
a
200表示“成功”,其他均为“错误”,统计事件数量
eval命令和if函数 eval-对表达式进行计算并将结果存储在某个字段中
if (条件,True的结果,False的结果)
index=”apachedata” sourcetype=”access_combined_wcookie” | eval success=if(status==200,”成功”,”错误”)| timechart count by sucess
制作每一个主机的200、400和500事件数的对比图
200标记为“成功”,400标记为“客户端错误”,500标记为“服务器错误”,保存为column chart可视化图,另存现有仪表面板
index=”apachedata” sourcetype=”access_combined_wcookie” | chart count(eval(status==200)) as “成功”, count(eval((400500 OR status==500)) as “服务器错误” by host
.列出用户最常用的5种浏览器,可视化为Pie chart图,另存为现有仪表盘
index=apache sourcetype=”access_combined_wcookie” | top useragentlimit=5
通过IP地址获取地区、国家、城市等信息
iplocation: 使用3rd-party数据库解析IP地址的位置信息
index=”apachedata” sourcetype=”access_combined_wcookie” | top 10 clientip|iplocation clientip
每台服务器的GET和POST请求的对比图,并且另存为仪表板
index=”apachedata” sourcetype=”access_combined_wcookie”|timechart count(eval(method==”GET”)) as “GET请求”,count(eval(method==”POST”)) as “POST请求” by host