version: 2
title: Apache Log Analytics
contributor: https://github.com/joshcody
summary: ''
description: ''

ingestStreams:
  - name: apache-log-ingest
    source:
      type: File
      path: $in_file
      format:
        type: Line
    query: |-
      WITH text.regexFirstMatch($that, '(\S+)\s+\S+\s+(\S+)\s+\[(.+)\]\s+"(.*)\s+(.*)\s+(.*)"\s+([0-9]+)\s+(\S+)\s+"(.*)"\s+"(.*)"')
      AS r
      CREATE ({
        sourceIp: r[1],
        user: r[2],
        time: datetime(r[3], 'dd/MMM/yyyy:HH:mm:ss Z'),
        verb: r[4],
        path: r[5],
        httpVersion: r[6],
        status: r[7],
        size: r[8],
        referrer: r[9],
        agent: r[10],
        type: 'log'
      })

standingQueries:
  - name: log-to-verb
    pattern:
      type: Cypher
      query: MATCH (l) WHERE l.type = 'log' RETURN DISTINCT id(l) AS id
      mode: DISTINCT_ID
    outputs:
      - name: verb
        preEnrichmentTransformation:
          type: InlineData
        resultEnrichment:
          query: |-
            MATCH (l) WHERE id(l) = $that.id
            MATCH (v) WHERE id(v) = idFrom('verb', l.verb)
            SET v.type = 'verb',
              v.verb = l.verb
            CREATE (l)-[:verb]->(v)
            RETURN null
          parameter: that
        destinations:
          - type: Drop

nodeAppearances: []
quickQueries: []
sampleQueries:
  - name: Count HTTP GET Requests
    query: >-
      MATCH (l)-[rel:verb]->(v)
      WHERE l.type = 'log' AND v.type = 'verb' AND v.verb = 'GET'
      RETURN count(rel) AS get_count
statusQuery:
  cypherQuery: >-
    MATCH (l)-[rel:verb]->(v)
    WHERE l.type = 'log' AND v.type = 'verb' AND v.verb = 'GET'
    RETURN count(rel) AS get_count