The filters arguments
While you may discover some big phenomenas when looking at the unfiltered tables, that's only the surface and you'll normally dive soon enough with filters either because the unfiltered data hinted a something interesting or because you wanted to look at some parts of your sites, or some errors, etc.
So there's a filter argument for each field, and they may be combined.
On most shells, characters like
! have a special meaning if not between single quotes. In case of doubt put your arguments between quotes, for example
rhit -s '!404'
Filter by Date-Time
The date-time filter argument is
--date, shortened in
The order of tokens is year, month (numerical) then day (in 1-31). If you specify the time, it follows the same logic: hour, minute, seconds.
For example here are the 6 days in the range from
The filter's behavior is probably better explained with a list of examples:
|Show the hits of a specific day||
|Show the hits of a specific month||
|Show the hits of a specific year||
|All days but one||
|Days after a specific one||
|Days before a specific one||
|Days of a specific range (inclusive)||
|Precise range (4 minutes)||
|Very precise range (a few seconds)||
Shorcuts are sometimes possible. For example if all the log files are from the same year, you may ommit it:
Filter by Time
To filter by the time in the day (in the server timezone), use
For example to get evening hits, use
Filter by Remote IP Address
Remote IP filters are defined with
--ip, shortened in
You may filter to show the hits of a specific IP or the other ones, or do a string based filtering.
|Show the hits of a specific IP||
|Show all hits but the ones of a specific IP||
|Show all hits from IP starting with '192'||
Filter by Method
Method filters are defined with
--method, shortened in
You may either filter to show the hits of a specific method or the other ones.
|Show the hits of a specific method||
|Show all hits but the ones of a specific method||
Filter by Path
The path filter, defined with
-p) is the most common one and the most powerful, with a versatile syntax.
The simplest path filter is just a word that the path must contain, for example
-p blog when you want to see all hits on paths with "blog".
But it may also be a regular expression, for example all paths with "download" and ending in "exe":
You may negate an expression with a
!. For example all hits not ending in ̀"broot/": `-p '!broot/$'
You may add conditions by separating them with commas. To say you want all downloads, but not the exe and not rhit, you can say `-p download,!rhit,!exe$'
If your query is more complex, use parenthesis and logical operators
! (add parenthesis around operators and parenthesis to avoid them being understood as part of regular expressions).
Here's a list of examples
||path contains "blog"|
||path contains "blog" and "broot", in this order|
||path contains "blog" and "broot", in whatever order|
||path starts with "down" and ends in "broot" with optionally "exe"|
||path contains "down/" immediately followed by either "rh" or "bro"|
||path contains "down/bro" and doesn't end in "exe"|
||contains "og" or "broot" without "exe"|
||paths that aren't just a number|
||paths that aren't a number and don't contain "broot"|
||path contains "y" but neither a 4 digits number, "sp", nor "bl"|
Filter by Referer
Referer filters are specified with
They follow exactly the same syntax than path filters.
Filter by Status
Status filters are specified with
The syntax is quite versatile.
||status is 404|
||status is not 404|
||status is of class 4xx (client error)|
||status is of class 4xx (client error) but not 404|
||status is between 402 and 420|
||status is either in the 3xx class or from 401 to 405|
Most often a unique filter isn't enough to study some event or phenomena.
You may want to answer a specific question, like what are the PHP files which aren't just some attacks:
rhit -p '\.php$' -s '!4xx'