yaala 0.7.3 - README.selections - 2004-11-10 ============================================== http://yaala.org/ One of the key features of yaala is, that you cen select the data printed in the reports yourself. This is done using one or more select statements which can be configured either in the config file or in the command line. GENERAL SYNTAX -------------- First you have to know that there are two types of fields: normal fields (sometimes also called 'key') and aggregations. An aggregation is basically everything you can sum up. In a webserver logfile this would be the amount of bytes transferred and the number of requests. The keyfields is everything else, e.g. the status code, because it doesn't make sense to sum it up. The syntax for select-statements is a bit like SQL. A basic select looks as follows: select: "aggregation BY field"; This displays, for example, the amount of bytes transferred on each day. For more detailed output you can select more than one (key)field. (The combined output module supports up to three fields.) The fields have to be comma-seperated: select: "aggregation BY field0, field1, field2"; If you are interested in more than one aggregation for the same (combination of) fields, you can select more than one aggregation, too. However, this tends to look confusing in the generated output. select: "aggregation0, aggregation1 BY field0, field1"; Ok, now you might only be interested in a part of all the requests. For example you might wonder, how many times google has visited each file. You can do this like this: select: "requests BY file WHERE host =~ google"; Or, more general like this: select: "aggregation BY field[, field ..] WHERE field value"; '' is the rule how to match the values. Methods implemented are: '==' equal '!=' not equal '=~' regular expression (non-numeric only) '!~' negated regular expression (non-numeric only) '<', '>' lesser/greater than '<=', '>=' lesser/greater or equal FIELDS PROVIDED BY PARSERS -------------------------- Which fields are available depends on the parser being used. A list of all fields available from each parser follows: Fields provided by the 'Bind9' parser: Aggregations: - requests Keyfields: - date - hour - client - query - class - type - severity - category Fields provided by the 'Common' parser: Aggregations: - bytes - requests Keyfields: - date - file - host - hour - status - tld Fields provided by the 'Ncsa' parser: Aggregations: - bytes - requests Keyfields: - browser - date - file - host - hour - os - referer - status - tld - user - virtualhost Fields provided by the 'Squid' parser: Aggregations: - bytes - elapsed - requests Keyfields: - client - date - hierarchycode - hour - httpstatus - method - mime - peer - protocol - resultcode - server Fields provided by the 'Xferlog' parser: Aggregations: - bytes - count Keyfields: - host - user - access_mode - date - hour - file - completion_status - direction - transfer_type - transfer_time - special_action Fields provided by the 'Postfix' parser: Aggregations: - count - bytes Keyfields: - date - hour - sender - recipient - defer_count - delay - incoming_host - outgoing_host Fields provided by the 'Netacct' parser: Please check/edit netacct.config, too!! (EXPERIMENTAL!) Aggregations: - bytes - packetcount - connections Keyfields: - date - destination - destinationport - hour - interface - month - protocol - source - sourceport