Parser/Ncsa.pm: Assure that at least 20 search terms are printed.

[yaala.git] / README.selections

 yaala 0.7.3 - README.selections - 2004-11-10
==============================================
http://yaala.org/


One of the key features of yaala is, that you cen select the data printed
in the reports yourself. This is done using one or more select statements
which can be configured either in the config file or in the command line.

GENERAL SYNTAX
--------------
First you have to know that there are two types of fields: normal fields
(sometimes also called 'key') and aggregations. An aggregation is
basically everything you can sum up. In a webserver logfile this would be
the amount of bytes transferred and the number of requests. The keyfields
is everything else, e.g. the status code, because it doesn't make sense to
sum it up.

The syntax for select-statements is a bit like SQL. A basic select looks
as follows:
  select: "aggregation BY field";

This displays, for example, the amount of bytes transferred on each day.
For more detailed output you can select more than one (key)field. (The
combined output module supports up to three fields.) The fields have to be
comma-seperated:
  select: "aggregation BY field0, field1, field2";

If you are interested in more than one aggregation for the same
(combination of) fields, you can select more than one aggregation, too.
However, this tends to look confusing in the generated output.
  select: "aggregation0, aggregation1 BY field0, field1";

Ok, now you might only be interested in a part of all the requests. For
example you might wonder, how many times google has visited each file. You
can do this like this:
  select: "requests BY file WHERE host =~ google";

Or, more general like this:
  select: "aggregation BY field[, field ..] WHERE field <CMP> value";

'<CMP>' is the rule how to match the values. Methods implemented are:
  '=='  equal
  '!='  not equal
  '=~'  regular expression              (non-numeric only)
  '!~'  negated regular expression      (non-numeric only)
  '<', '>'      lesser/greater than
  '<=', '>='    lesser/greater or equal


FIELDS PROVIDED BY PARSERS
--------------------------
Which fields are available depends on the parser being used. A list of all
fields available from each parser follows:

Fields provided by the 'Bind9' parser:
Aggregations:
- requests
Keyfields:
- date
- hour
- client
- query
- class
- type
- severity
- category

Fields provided by the 'Common' parser:
Aggregations:
- bytes
- requests
Keyfields:
- date
- file
- host
- hour
- status
- tld

Fields provided by the 'Ncsa' parser:
Aggregations:
- bytes
- requests
Keyfields:
- browser
- date
- file
- host
- hour
- os
- referer
- status
- tld
- user
- virtualhost

Fields provided by the 'Squid' parser:
Aggregations:
- bytes
- elapsed
- requests
Keyfields:
- client
- date
- hierarchycode
- hour
- httpstatus
- method
- mime
- peer
- protocol
- resultcode
- server

Fields provided by the 'Xferlog' parser:
Aggregations:
- bytes
- count
Keyfields:
- host
- user
- access_mode
- date
- hour
- file
- completion_status
- direction
- transfer_type
- transfer_time
- special_action

Fields provided by the 'Postfix' parser:
Aggregations:
- count
- bytes
Keyfields:
- date
- hour
- sender
- recipient
- defer_count
- delay
- incoming_host
- outgoing_host

Fields provided by the 'Netacct' parser:
Please check/edit netacct.config, too!!
(EXPERIMENTAL!)
Aggregations:
- bytes
- packetcount
- connections
Keyfields:
- date
- destination
- destinationport
- hour
- interface
- month
- protocol
- source
- sourceport