Skip to main content
Sumo Logic

Lab 2 - Simple Parsing, Grouping, and Filtering

  1. Last updated
  2. Save as PDF
This lab teaches you the basics of working with parsing, aggregating, and filtering the results.
Learn basic operators to parse and group your search results. Future labs will go deeper in each area.

 

  1. Search Apache logs (Access and Error logs) for the last 15 minutes and count results by _source.

_sourceCategory=Labs/Apache/*

| count by _source

  1. Update the query to parse the ip address using parse regex and count by ip address.

_sourceCategory=Labs/Apache/*

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count by ip_address

  1. Filter out those with a count greater than 2500. Display your results in a pie chart.

_sourceCategory=Labs/Apache/*

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count by ip_address

| where _count > 2500

Image of Pie Chart

  1. In a new query, identify the top 10 source IP addresses by bandwidth usage. This will require parsing the byte sizes as well as the source IPs.

_sourceCategory=Labs/Apache/Access

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| parse " 200 * " as size

| sum(size) as total_bytes by ip_address

| top 10 ip_address by total_bytes

 

Bonus: Find the average size by source ip.