I was told i could find command info in url buy finding the url's that are 2.5 times longer than the average length. I think i know how to do the sub search but i don't know how to find the url length. Can anyone help?
In your search just do: foo_search | eval url_length = len(url) | more_things
.
If you wanted to find the avg over a time period you would do:
sourcetype=access_combined | eval url_length = len(url) | stats avg(url_length)
In your search just do: foo_search | eval url_length = len(url) | more_things
.
If you wanted to find the avg over a time period you would do:
sourcetype=access_combined | eval url_length = len(url) | stats avg(url_length)