Query Cheat Sheet

LogPoint v6

NAME S Y N TA X DESCRIPTION

SIMPLE SEARCH

Text search login Looks for log messages containing login.

login successful Looks for log messages containing both login and successful.

Phrase search “login successful” Looks for the exact phrase login successful.

Looks for all log messages containing

Field search user=john
the field value pair user=john

Looks for all logs message containing the field

device_ip=192.168.2.81
value pair device_ip= 192.168.2.81

Looks for the logs with device_

AND severity=6 AND device_ip=192.168.2.205
ip=192.168.2.205 and severity= 6.

OR login OR logout Looks for the logs with either login or logout.

NOT -device_ip=127.0.0.1 Looks for the logs with device_ip not equal to 127.0.0.1
(exclusion)

! device_ip!=127.0.0.1 Looks for the logs with device_ip not equal to 127.0.0.1

Looks for log messages with either failed or both

Braces failed OR (denied AND locked) denied and locked. Use braces to overwrite
default binding behavior of query.

Looks for messages containing logan, logbn, login

Wildcard (?) log?n
etc. ? denotes single character wild card.

Look for messages containing log as the starting

Wildcard (*) log* of the words as in log, LogPoint, logout, login
etc. * denotes multi character wildcard.
COMPLEX SEARCH

Displays the logs with fields user, device_

fields | fields user, device_ip, severity
ip and severity in tabular form.

chart | chart count() by device_ip Displays chart and log count of different device_ip.

| chart count() by destination_address, Displays the chart and count of logs from different
destination_ port destination_address to different destination_port.

Looks for all log messages containing login. Chart

login | chart count() by user command groups the messages by the field user
and displays the chart and count of logs.

Displays the chart and count of login by different

timechart login | timechart count() by device_ip
device_ip in different time interval.

| norm source port: Assign the immediate number following source port: to
norm
<source_port:int> dynamic field source_port and displays the log messages.

Assigns the immediate number following Protocol: to

rex |rex “Protocol:(?P<protocol_id>\d+)”
dynamic field protocol_id and displays the log messages.

|rex “Protocol:(?P<protocol_id>\d+)” search can be used to search the dynamic field

| search
| search protocol_id value pairs created from rex and norm.
A G G R E G AT O R S

Looks for all log messages containing login. Then

count login | chart count(event_id=528) by device_ip group them by device_ip and show the count of the
messages containing the field values event_id=528
 Build a trend chart based on all source addresses
source_address=* | timechart count() by observed over a period. Please note that trending
timechart
source_address with some chart types may be resource intensive if
more than 10 entities are brought into scope.

| chart distinct_count(destination_port) by Displays the count of unique destination_port

distinct_count
destination_address grouped by destination_address

min | chart min(severity, severity > 3) Displays the log message with minimum severity greater than 3.

Displays the maximum severity value

max | chart max(severity) by device_ip
seen in each of the device_ip

Displays the chart of log messages with the

avg | chart avg(response_time)
average of their response_time

Displays the sum of total datasize of data at

sum | chart sum(datasize) by destination_port
different destination_port in chart.

var | chart var(severity) by source_address Returns the variance of severity values of source_address

latest device_name=* | latest by log_ts,devicename Only display the last log received by device_name
A R I T H M E T I C O P E R AT I O N O N A G G R E G AT O R S

Simple arithmetic operation with addition, subtraction,

| chart max(severity+facility*8),
+-/*^ division, multiplication and power for aggregation
max(destination_port/10)
functions EXCEPT count and distinct_count

|chart avg(actual_mps^10), sum(doable_mps -

actual_mps)
F O R M AT T I N G

| chart count() by device_ip order by count() Display the count of log messages for each of the device_ips in
order by
DESC the descending order of count. Use ASC for ascending order.

Display only the 10 groups on the chart as well as on the result

list.
limit | chart count() by device_ip limit 10
Works as well for timechart by dividing the
time range into 10 equal periods.

Display the timechart with a graph value every

every | timechart count() every 20 minutes
20 minutes. Will accept hours and days as well.

step | chart count() by step(destination_port,100) Displays the count of destination_port in the step of 100.

| chart count(object=”process”) as
“PROCESS”, Names the result charts as PROCESS and
alias
count(action= created OR exited) as EXECUTION and gives their total count.
EXECUTION

| chart count() as CNT, max(severity) as

MAX_SEV by device_ip order by CNT | search Aliasing used with order by and search on the result.
MAX_SEV < 4
ENRICHMENT

Using Lists fieldname IN LIST_NAME

user IN ILLEGAL_USER Displays the activities of all users listed in the list ILLEGAL_USER.

fieldname IN
[value1,value2,value3, ]

Inline list, displays the activities of only those

user IN [jack, ajay, suresh]
users mentioned inside the braces.

| chart count() by map (fieldname, MAP_NAME

Using Maps
)

| chart count() by
Inline mapping, displays the dynamically mapped severity values.
map(severity,{1:’emergency’,2:’critic al’})

Using Table Table Lookup_Table_Name

This query calls the table named employeeData

table employeeData
and displays the fields from the table.

This query calls the table named employeeData, and displays

table employeeData Salary>=20000
only that information where the salary is greater than 20,000.

table employeeData Salary >= 20000 Salary
<40000
Using Rename | rename field as new_name
| rename John as user1, Jane as User2, Office
as Work_Place011
<search string>|rename action as command_
executed| chart count() by command_executed
Using Search | search fieldname
login username=* | chart count() as count_
username
by username | search count_username > 5
Using Latest <search_query> | latest field_name
command
status=down port=80 | latest by device_ip
status=down port=80 | latest on log_ts by
device_ip
[stream 1] <aliased as s1>
<join/followed by> [stream 2]
Pattern Finding
<aliased as s1> <within time limit> on <Join_
conditions>| additional filter query.
[5 error]
[10 error having same user_name]
[10 error having same user_name,destination_
address, destination_port]
[10 login source_address=127.0.0.1 having
same
user_name within 15 minutes]
[deny login] followed by [successful login]
[table PORT_MACHINE port<1024] AS s1
JOIN [table BLOCKED_PORT] AS s2 ON
s1.port=s2.port
label = Connection | process geoip (source_
Using Process
address) AS country | chart count() by country
Command
order by count() desc
This query calls the table named employeeData,
and displays only that information where the
salary is between 20,000 and 40,000.
The most widely used query particularly for data visualization
or tabulation. This query is used to rename an existing field to
another name. The scope of rename is limited to that query
only. Changes are not reflected on the original field names.
In this case, the field action is renamed to command_
executed and used in chart visualization. The index
for the chart will contain command_executed.
Use search command when you have to filter the content of logs
in addition to the default search query. Use this syntax to sort
fields obtained from rex, norm, alias or rename. Additionally,
you can include search in any part of the query using “search”
command. Remember it is preceded by a pipe as | search.
The latest command finds the most recent log messages
reserved for every unique combination of provided field values.
The query displays the latest device IP where port 80 is down.
This command sorts the latest device_
ip based on the field log_ts
This query displays the result when 5 error
messages are seen in the system.
Use ‘having same’ followed by a field name to generate a
pattern based on that field.
In this case result is displayed when 10 error
messages are seen on single distinct user.
In this case result is displayed when same user
with same destination address and destination
port have 10 error messages in logs.
This query provides the time limit, if the
action takes place within 15 minutes.
The first stream checks if there is any denied login
in any system and anticipates if a successful login
follows it. If a denied login is followed by a successful
login then corresponding result is displayed.
This is an example where two query streams are connected by
JOIN syntax. This query compares the Port on PORT_MACHINE
with Port on BLOCKED_PORT and if the
condition is satisfied then associated information is displayed.
The stream can be aliased; the first steam is named as s1 and
second is named as s2. Now the parameters of streams can be
called using dot (.) following the stream name, example s1.port.
The query first captures all log messages labeled as Connection
(label = Connection).
Then, it uses the Geoip function to lookup the name of the
country from such logs (process geoip (source_address) AS
country).
Finally, the count of log messages are displayed as a chart in
the descending order (chart count() by country order by count()
desc).