On Thursday, March 02, 2006 11:13 AM [EDT],
Obi-Wan <[EMAIL PROTECTED]> wrote:
>> Okay, try this:
>> HOSTALIAS REGEXP:172\.26\.(\d{1,3})\.(\d{1,3})$ $1.net
>>
>> This will give you an Organization Report that contains a list
>> <3rdOctet>.net "organizations",
>>
>> eg if you have 22 hits from 172.26.147.12, and 36 hits from
>> 172.26.147.108, then 147.net will be listed with 58 requests.
>>
>> If you need to identify indivdual hosts as well, use $2.$1.net
>> instead.
>>
>> You have to use a known TLD as the suffix, unless you want to update
>> Analogs .dom files
>
> Great! Thanks. I didn't know you could do regex in a HOSTALIAS.
> Here's what I ended up doing:
>
> HOSTALIAS REGEXP:(\d+)\.(\d+)\.(\d+) $3.$2.$1.arpa
As I can never get my head round regular expressions, what happened to the
4th octet? You haven't anchored your expression to the beginning or end of
the host string. Is it "safe" to just ignore anything after the 3rd octet?
Would this work for unresolved addresses in a log with DNS resolution
(ignoring ressolved addresses, and only aliasing unresolved addresses?)
Using .arpa is a nice way of addressing the general case, though for an
intranet using one (or a few) Class C address ranges, sticking with just the
3rd octet might be more legible.
While it has only come up a few times over the year, I think this technique
might usefully be added to the FAQ, in addition to
http://analog.cx/docs/faq.html#faq148.
> DOMCHARTEXPAND "arpa,172.arpa,25.172.arpa,26.172.arpa"
> SUBDOMAIN *.*.*.*
>
> It ends up with results like:
>
> reqs %bytes domain
> 189500 100% .arpa (Arpanet)
> 189190 99.75% 172.arpa
> 126165 70.53% 26.172.arpa
> 18343 9.83% 14.26.172.arpa
> 13063 6.49% 12.26.172.arpa
> 9660 5.16% 9.26.172.arpa
> 62632 29.10% 25.172.arpa
> 9049 3.71% 4.25.172.arpa
> 7000 4.08% 13.25.172.arpa
> 5343 3.93% 7.25.172.arpa
> 166 0.04% 192.arpa
> 166 0.04% 168.192.arpa
> 98 0.02% 202.168.192.arpa
> 61 0.02% 203.168.192.arpa
> 7 226.168.192.arpa
>
> ...which isn't perfect, but is probably close enough. Thanks for
> your help. Now, is there a way to make it chart more than just the
> top 10 domains?
> I didn't see anything under the chart commands quick reference.
http://analog.cx/docs/othreps.html#CHART says:
" Here are the exact rules for which wedges are plotted in the pie chart. Up
to ten wedges, plus "Other", are drawn, but wedges are only drawn if they
are large enough. Also, wedges are only drawn if the item is listed in the
main table for the report. And the whole chart will not be plotted if it
would contain only one wedge."
Aengus
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
