Hello
My firm currently has the dashboard below that shows top employees utilization and top sites visited.
I am looking for a way to query how may times a person has or remote office has hit a certain site and how much utilization it is using.
index="istr_security" sourcetype=bcoat_proxysg 10.X.X. | rex field=_raw "^\S+ \S+ \S+ (?\S+)" | rex field=_raw "(?[a-z]+://(?[^:/]+)\S+) (?\d+)" | rex field=fqdn "(?[^.]+\.[^.]+)$" | rex field=_raw "(?\d+) (?\d+) (?\d+)" | eval server_mbytes=round(server_bytes/1000000,2) | eval duration_secs=round(duration_msecs/1000,2) | timechart useother=0 sum(server_mbytes) by corpid
Thank you
Try this
index="istr_security" sourcetype=bcoat_proxysg 10.X.X. "*certainsite.com"| rex field=_raw "^\S+ \S+ \S+ (?\S+)" | rex field=_raw "(?[a-z]+://(?[^:/]+)\S+) (?\d+)" | rex field=fqdn "(?[^.]+.[^.]+)$" | rex field=_raw "(?\d+) (?\d+) (?\d+)" | eval server_mbytes=round(server_bytes/1000000,2) | eval duration_secs=round(duration_msecs/1000,2) | stats count sum(server_mbytes) as mbytes by corpid
Thank you. I tried to copy and paste this into the code field and tweaked the IP to reflect our proxy server and seem to run into a snag.
Error in 'rex' command: Encountered the following error while compiling the regex '^\S+ \S+ \S+ (?\S+)': Regex: unrecognized character after (? or (?-