Lab 6 - Plotting Clients on a Map

Learn to use the geo lookup operator to plot the location of your incoming requests on a map.

1. Run a search for all Apache Access logs and parse the ip address.

2. Use the ip address to search for the latitude and longitude coordinates

_sourceCategory=Labs/Apache/Access

| parse "* - -" as client_ip

| lookup latitude, longitude from geo://location on ip=client_ip

| count by latitude, longitude

| sort _count

3. Map your results.

Bonus: Edit your map to only show results for the US (country_code="US"). This will require additional fields other than just latitude and longitude. Check out the documentation for other fields available.

Optional: Test Your Knowledge

Using the extracted fields from the Apache Access Field Extraction Rule, build the following queries:

1. Count Number of Messages by Method

   1. Scope: _sourceCategory=Labs/Apache/Access

   2. Time Range: Last 45 Minutes (-45m)

   3. Time slice by 1 minute

   4. Count by method and timeslice

2. Count Number of 404 Error Messages by Method

   1. Scope: _sourceCategory=Labs/Apache/Access and only 404 messages

   2. Time Range: 15 minutes, but starting 30 Minutes ago (-45m -30m)

   3. Time slice by 1 minute

   4. Count by method and timeslice

3. Count Successes versus Failures

   1. Scope: _sourceCategory=Labs/Apache/Access

   2. Time Range: Nov 25 8:00 AM - Nov 25 8:45am

   3. Count 2* messages as Successes and 4* messages as Failures

   4. Sum Successes and Failures