I have an Apache Access log which I'm searching for any .cgi or .pl file hit with the latest date it's been hit.
Some of the .cgi or .pl do get parameters passed after the question mark (ie test.pl?user=nobody&location=uk). I don't want to capture that information.
So, basically, I'd like to have a table with two columns - cgi/pl name (full path so we ensure we get the right one), and the last time it was hit.
Is that possible?
Should be able to do this with a search like this:
sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)
The uri_path
field should contain evertying up to the .pl
or .cgi
but not any of the args (the stuff after ?
)
Should be able to do this with a search like this:
sourcetype=access_common (.cgi OR .pl) | stats max(_time) as last_time by uri_path | convert ctime(last_time)
The uri_path
field should contain evertying up to the .pl
or .cgi
but not any of the args (the stuff after ?
)
In order for Lowell's search to work, your Apache Access log needs to be sourcetyped access_common. If it is not (e.g. you are using your own sourcetype), the uri_path field need to be defined.