Skip to main content
Sumo Logic

Lab 2 - Simple Parsing, Grouping, and Filtering

  1. Last updated
  2. Save as PDF
This lab teaches you the basics of working with parsing, aggregating, and filtering the results.
Learn basic operators to parse and group your search results. Future labs will go deeper in each area.

 

  1. Search Apache logs (Access and Error logs) for the last 15 minutes and count results by _source.

_sourceCategory=Labs/Apache/*

| count by _source

  1. Update the query to parse the ip address using parse regex and count by ip address.

_sourceCategory=Labs/Apache/*

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count by ip_address

  1. Filter out those with a count greater than 2500. Display your results in a pie chart.

_sourceCategory=Labs/Apache/*

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| count by ip_address

| where _count >500

clipboard_eb2e60567396b3475cade4400ae1f5e4b.png

  1. In a new query, identify the top 10 source IP addresses by bandwidth usage. This will require parsing the byte sizes as well as the source IPs.

_sourceCategory=Labs/Apache/Access

| parse regex "(?<ip_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

| parse " 200 * " as size

| sum(size) as total_bytes by ip_address

| top 10 ip_address by total_bytes

 

Bonus: Find the average size by source ip.