A better way to Query Log!


I work with all kinds of logging and alerts regularly in my profession, and one tool we often use is Splunk. I love Pi-hole but I think there's some room for improvement on the Query log section in it.

There should be a filter option in Query Logging, preferably for any of the columns there, and simultaneously filterable. People often need to narrow down on a specific set of criteria. For example, a range on the time column, a filtering status to blocked or OK (or even OK cached!), a specific client IP, or even a domain (maybe regex, maybe a word? Anything would help!).

Let's give a situation to think about: A laptop isn't loading something you think it should be. You head over to the Query Log... now how do we see JUST the blocked entries right now as pi-hole is today? We have to sort through all sorts of noise looking at IPs, times, domains, etc. If we could filter... how about the blocked entries in the last 15 minutes only? What about a 10 min window that happened an hour ago? How about the blocked entries, in the last 15 minutes, with the word "pi-hole" in it to narrow it down? :slight_smile: With filtering we could do all that. People could find what they were looking for quickly and easily.

Take the troubleshooting a step further: We could even then learn that traffic matching the criteria was all coming from a certain IP, remove the domain word filter, and filter down on that IP instead, and now they have a list of the blocked entries for a given time period, for a given IP and be able to much better sort out what passed and what was blocked, and if something needs to be white-listed.

In short, filtering! The columns need filtering please!

Thanks all,

As a workaround until such a feature is implemented, you can do this from the command line with grep and the log at /var/log/pihole.log.

Advanced (multiple) filtering in Query log is been worked on.

Advanced filtering is implemented in v5.1