Re: How to separate a search by groups of hosts?

meleschi · ‎04-24-2017

Hello!

If I run this query, I'll get a graph of the # of queries over time aggregated for all of my hosts.

host=* | timechart per_minute(Query)

If I run this query, I'll have a similar graph with one line shown per host.

host=* | timechart per_minute(Query) by host

Is there any way to graph by groups of hosts? Say, by the domain of the server.

example:

host=* | timechart per_minute(Query) by group (a, b, c) where group a like "*.a.com" and group b like "*.b.com" and group c like "*.c.com"

woodcock · ‎11-22-2019

Like this:

 host=*
| rex field=host mode=sed "s/^[^\.]+/\*/"
| timechart per_minute(Query) BY host

meleschi · ‎11-22-2019

Thank you for both answers above. I ended up placing some data in a lookup table, and using that to break apart servers by region, type, etc.

somesoni2 · ‎04-24-2017

You can create a field with those criteria/specification and they group by those.
e.g.

 host=* | eval group=case(like(host,"%.a.com"),"group a",like(host,"%.b.com"),"group b",...other sets here, 1=1,"defauly") | timechart per_minute(Query) by group

If you're only interested in group a/b/c (you don't want to statistics for other domains, add them as filter in the base search.

 host=*.a.com OR host=*.b.com OR host=*.c.com  | eval group=case(like(host,"%.a.com"),"group a",like(host,"%.b.com"),"group b",...other sets here, 1=1,"defauly") | timechart per_minute(Query) by group

lycollicott · ‎04-24-2017

Off the top of my head, I would extract a field to be the domain and group by that.

So, something like:

hosts=* 
| rex field=host "\.(?\w+\.\w+)"
| timechart span=1m count by domain_name

How to separate a search by groups of hosts?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...