Please point me toward documentation on how to extract entries from the Query Log so I can do something with them besides page through 10 at a time. It must be (literally) as "plain as day", but I cannot see it.
In the web admin dashboard > Query log, there is a selection box where you can select how many items you wish to display per screen:
Or you can click "show all" at the top of that screen.
You can also directly query the pihole logs in directory /var/log. An example - here I am looking for any queries to amazon domains and just want to list the last 15 of them:
sudo grep amazon /var/log/pihole.log | grep query | tail -n15
Sep 24 19:46:19 dnsmasq[16583]: query[A] mads.amazon-adsystem.com from 192.168.0.125
Sep 24 19:46:19 dnsmasq[16583]: query[A] aax-us-east.amazon-adsystem.com from 192.168.0.125
Sep 24 19:46:26 dnsmasq[16583]: query[A] arcus-uswest.amazon.com from 192.168.0.118
Sep 24 19:46:53 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.122
Sep 24 19:47:02 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.121
Sep 24 19:47:23 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.120
Sep 24 19:47:53 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.122
Sep 24 19:48:03 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.121
Sep 24 19:48:23 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.120
Sep 24 19:48:59 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.118
Sep 24 19:49:11 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.121
Sep 24 19:49:38 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.122
Sep 24 19:49:56 dnsmasq[16583]: query[A] device-metrics-us.amazon.com from 192.168.0.120
Sep 24 19:50:07 dnsmasq[16583]: query[A] mads.amazon-adsystem.com from 192.168.0.125
Sep 24 19:50:07 dnsmasq[16583]: query[A] aax-us-east.amazon-adsystem.com from 192.168.0.125
That is SO CLOSE. Thanks.
But, a bit more 'detail' than I was looking for. One line for who asked for it. One line to say if it was forwarded to DNS. Another line with results. Does the web page draw from the log, or from a database?
The web page draws from the long term database when it loads (the default is that it reads the previous 24 hours, to fully populate the dashboard). During operation, queries are written both to the long term database and to the pihole log. The pihole log is rotated nightly and the current day and 5 previous days are retained. The long term database default is to save 365 days of information. The database is in SQL format, so you need SQL to read it. The log is just text.
ls -lh /var/log | grep pihole.log
-rw-r--r-- 1 pihole pihole 8.5M Sep 24 23:42 pihole.log
-rw-r--r-- 1 pihole pihole 8.3M Sep 24 00:00 pihole.log.1
-rw-r--r-- 1 pihole pihole 539K Sep 23 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole pihole 492K Sep 22 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole pihole 412K Sep 21 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole pihole 391K Sep 20 00:00 pihole.log.5.gz
You can do all this with the correctly formatted Linux commands.
I've put together a basic method of querying the long term database that can be used as a starting point for constructing your own queries
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.