Assume the following squid log samples:
(squid-1): 1515606581.001 100 1.2.3.4 TCP_TUNNEL/200 500 CONNECT some.fqdn.com:443 - DIRECT/1.2.3.4
(squid-1): 1515606582.002 200 1.2.3.4 TCP_TUNNEL/200 2000 CONNECT some.fqdn.com:443 - DIRECT/1.2.3.4
(squid-1): 1515606583.003 200 1.2.3.4 TCP_TUNNEL/200 5000 CONNECT some.fqdn.com:443 - DIRECT/1.2.3.4
Example search with a regular expression to filter for TIME, SIZE and URL:
squid-1 |rex field=_raw "squid-1\):\s+\d+\.\d+\s+(?<TIME>\d+).*TCP_TUNNEL\/200\s+(?<SIZE>.*)\s+CONNECT\s+(?<URL>.*)\:"
| top TIME,SIZE,URL
How can i set a condition for the size to list only for example SIZE>1000?
Many thanks
You would do that after using rex
to extract the field:
squid-1 |rex field=_raw "squid-1\):\s+\d+\.\d+\s+(?<TIME>\d+).*TCP_TUNNEL\/200\s+(?<SIZE>.*)\s+CONNECT\s+(?<URL>.*)\:"
| search SIZE>1000
| top TIME,SIZE,URL
hey try this
squid-1 |rex field=_raw "squid-1\):\s+\d+\.\d+\s+(?<TIME>\d+).*TCP_TUNNEL\/200\s+(?<SIZE>.*)\s+CONNECT\s+(?<URL>.*)\:"
| where SIZE>1000
| top TIME,SIZE,URL
Let me know if this helps you!
You would do that after using rex
to extract the field:
squid-1 |rex field=_raw "squid-1\):\s+\d+\.\d+\s+(?<TIME>\d+).*TCP_TUNNEL\/200\s+(?<SIZE>.*)\s+CONNECT\s+(?<URL>.*)\:"
| search SIZE>1000
| top TIME,SIZE,URL
Ah, it was the search command which was missing. THANK YOU!