Here a bunch of queries I’ve been working recently. Hope it helps!
SEARCH FOR NOT FOUND WEB PAGES
Perform the following query:
404 and 'Log Source' like '%access%'
SEARCH REQUEST THAT RETRIEVE A PAYLOAD BIGER THAN A SIZE AND ORDER THEM BY SIZE DESCENDING
'Content Size' > 0 | eval MB = 'Content Size' / (1024 * 1024) | where MB > X | sort -MB
Where X is the size in MB, for example:
'Content Size' > 0 | eval MB = 'Content Size' / (1024 * 1024) | where MB > 5 | sort -MB
DETECT IF MORE THAN ONE LOG SOURCE IS LOADING THE SAME LOG RECORDS
My colleague created a new log source for OSB access logs with a pattern that was already configured in the WLS Server log source. In the osa access log source he included a data filter but all the records appeared in searches. My guess was that the records were processed by the 2 log sources… With this query I found that record were coming from the 2 sources:
<unique expression you have checked is only in one log file> | distinct 'Log Source'
'/pedi2/img/u173.png' | distinct 'Log Source'
REJECT ALL RECORDS EXCEPT THOSE CONTAINING “or /AAA/ or /BBB/ or /CCC/ or /DDD/”
SOLUTION: Create a data filter with an expression like:
^(?!.*(\/AAA\/|\/BBB\/|\/CCC\/|\/DDD\/)).*
Example:
^(?!.*(\/pedis\/|\/regus\/|\/pedi2\/|\/regis\/)).*
SEARCH FOR A PHRASE
Enclose it in ” or “”. Example:
'MANAGERS PedidoManagerMov' and 'Log Source' = 'MDONA WEBAPP Logs' | cluster
Enjoy 😉
approaching off the bow 