/
Complex Search Examples

Complex Search Examples

The following table contains examples of complex search queries:

 Query

Explanation 

 Query

Explanation 

 error | first 10

Searches system log events for error, and shows the first 10 results only.

 error | count | group by ext.log

Searches the system log events for error, and shows error count per log.

 error | count | group by ext.log | order by count asc

Searches the system log events for error, and shows error count per log in ascending order of count.

 error | count | group by ext.log | order by count desc

Searches the system log events for error, and shows error count per log in descending order of count.

 * in log.log4J | count | group by priority

Runs on all events in the log log4J and aggregates unique values in the log field priority.

Note: A (log field named priority is required.

* in log.log4j log | count | group by priority | display count as Unique Count

Same as the previous query example, with the exception that it “renames” the count column to Unique Count

* in log.access log | count | group by status

Runs on all events in the log access log and aggregates unique values in the log field status.

Note: A (log field named status is required.

* in log.access log | count | group by url

Runs on all events in the log access log and aggregates unique values in the log field url.

Note: A (log field named url is required.

* in log.access log | avg bytes sent | group by remote host

Calculates the average of the log field bytes sent for each unique remote host in the log access log.

Note: Log fields with the names bytes sent and remote host are required. Also, bytes sent should be numeric so that the average of its values can be calculated.

* in log.access log | avg bytes sent | group by remote host | display avg in volume format

Calculates the average of the log field bytes sent for each unique remote host in the log access log, and formats the value of the bytes sent average to volume format instead of a regular numeric value.

Note: Log fields with the names bytes sent and remote host are required. Also, bytes sent should be numeric so that the average of its values can be calculated.

* in log.access log | avg bytes sent | group by remote host | display avg in volume format (bytes, MB)

Same as the previous query example, with the exception that in this example, volume format receives the parameters (INPUT_VOLUME_UNIT, DISPLAY_VOLUME_UNIT).

XpoLog treats the value in the log field bytes sent as bytes, and presents the result in Megabytes.
Available volume units: B, KB, MB, GB

* in log. IIS Log Test | avg time-taken | group by c-ip | display avg in time format

Calculates the average of the log field time-taken for each unique c-ip in the log IIS Log Test, and formats the value of the time-taken average to time format instead of displaying a regular numeric value.

Note: Log fields with the names bytes sent and remote host are required. Also, bytes sent should be numeric so that the average of its values can be calculated.

* in log. IIS Log Test | avg time-taken | group by c-ip | display avg in time format (ms,minutes)

Same as the previous query example, with the exception that in this example, time format receives the parameters (INPUT_TIME_UNIT, DISPLAY_TIME_UNIT).

XpoLog treats the value in the log field time-taken  as milliseconds, and presents the result in minutes.
Available volume units: microsec, ms, sec, min, hour, day

* in log.access log | count, max bytes sent, min bytes sent, avg bytes sent | group by remote host

Calculates the number of occurrences, as well as the maximum, minimum, and average values of the log field bytes sent, for each unique remote host in the log access log.
Note: Log fields with the names bytes sent and remote host are required. Also, bytes sent should be numeric so that the average of its values can be calculated.

error or exception | count | interval 1 day

 Counts the number of errors and exception in a log on a daily basis (i.e. the number of errors/exceptions per day).

 

Related pages