New query keyword: IN
03 April 2022
Query based reports are here, and query based alerts are underway. To fully use this, queries should be easy. That is why you can now use
IN () and
NOT IN () as keyword.
Say you want a report of all websites that do not return a 201, 403 or 404 HTTP code. The old way (which still works) would be:
index=websites https_status!=201 AND https_status!=403
AND https_status!=404
The more values you want to select or exclude, the longer the query becomes. With the new keyword this query can be rewritten as:
index=websites https_status NOT IN(201, 403, 404)
Much better right?
Select report columns with | table
27 March 2022
Last week custom reports went live. One of the first things you of course want is the ability to select the columns or fields you want in the search results and exports. For that, we now have the keyword
table.
Just like in Splunk, you can "pipe" queries in to other commands. For now only the
table command is supported. With table you can explicitly select the columns you want in the search results. It works on all queries, including queries with the
by keyword. All queries where results are grouped with
by will always contain the count per group in the last column (named "count").
Here is an example query to try:
index=websites latest=-7d | table url ip https_status http_status
You can also use
| table to select columns in combination with the
by keyword in grouped results:
index=hosts by asn | table asn country
In beta: custom reports
21 March 2022
After many request, it is finally here! The left hand menu of the GUI shows a new item: custom reports.
Reports are
query based. All query results you see in the GUI will be in the report too.
You can schedule reports daily, weekly or monthly. Output formats are Excel, csv, json and pdf. Note that the pdf version will switch to rows instead of columns for any output containing more than 5 columns. You can select your columns with the new keyword "table" in the query like this:
index=hosts ports=3306 | table ip ports asn last_seen
First quirk to be solved: when you create a new report, you have to save it first before you can add email recipients.