Lucene Queries
Table of contents
Query attributes:
Fluency uses its own attribute names to search for such as “sip:A.B.C.D” to search for a source IP address. These attribute names such as “sip” are defined by Fluency and do not follow any public standard. Further chapters will describe common attributes. Please know that these attributes are case sensitive!
Query syntax behavior:
If Fluency is queried for attributes such as “sip:A.B.C.D” it is important to know that Fluency searches for results that are EQUAL to “A.B.C.D”. A query with the string “sip:A.B.C.” could indicate that any source IP within the range “A.B.C.” is searched. This query though will fail as Fluency will search for results with a value equal to “A.B.C.”. In this case operators of the Lucene syntax should be used instead such as “*”.
A query with string “sip:A.B.C.*” will be able return multiple results with any value at the fourth octet of the source IP.
| Attribute | Value Type | Description |
|---|---|---|
| @tags:squid | String | Any events tagged with “squid” |
| method | String | HTTP request method |
| http_host | String | Remote HTTP host |
| request_url | String | URL of HTTP query |
| src_ip | String | Client source IP |
| src_port | Numeric | Proxy outbound source port |
| dest_ip | String | Remote host IP |
| proto | String | Protocol name |
| action | String | Proxy TCP action |
| src_port_client | Numeric | Client source port |
| user | String | At proxy authenticated domain user account |
| dest_port | Numeric | Remote host port |
| user_agent | String | Client User-Agent string |
| status | Numeric | HTTP response code from remote host |