Database Reference
In-Depth Information
sourcetype=access_* | top 3 action by referer_domain
This code requests the events where the sourcetype is
access_*
(meaning that the web
server was accessed), and then lists the top 3 actions for each referring domain. Notice
that the default name count is specified at the top of the counts for each of the actions for
each
referer_domain
. If you wanted to name it something else (such as
Total
), you
could specify the following:
sourcetype=access_* | top 3 action by referer_domain
countfield=Total
The resulting window appears as shown in the following screenshot:
Top 3 Actions for referer_domain with Total Counts
