Who's been looking at this web site?
$ squeal "count(*)", ip_addr from /var/log/httpd/*access_log* group by ip_addr;
(querying multiple files at once, aggregating results easily)

How much has each user been downloading?
$ squeal host, "count(*)", "total(size)" from /var/log/httpd/*access_log* group by host;

What are all the 404s?
$ squeal distinct request from /var/log/httpd/*access_log* where status = 404

Look at number/size of requests in the apache logs:
$ squeal filename, "count(*)", "total(size)" from /var/log/httpd/*access_log* group by filename order by "total(size)" desc
                       filename|count(*)|total(size)|
-------------------------------+--------+-----------+
/var/log/httpd/ssl_access_log.4|    1921| 12824849.0|
    /var/log/httpd/access_log.3|     222|  6207367.0|
/var/log/httpd/ssl_access_log.3|     741|  2210799.0|
    /var/log/httpd/access_log.4|     268|   626711.0|
/var/log/httpd/ssl_access_log.1|       8|    13351.0|
/var/log/httpd/ssl_access_log.2|       5|     7305.0|
    /var/log/httpd/access_log.2|       4|     6995.0|
    /var/log/httpd/access_log.1|       2|      288.0|


Querying yum logs (dealing with changes in format internally):
[root@brick ~]# squeal from /var/log/yum.log* where 'name like "kernel%"' limit 5
           time|    event|           name|  arch|epoch|  version|     release|        filename|
---------------+---------+---------------+------+-----+---------+------------+----------------+
Feb 14 20:00:03|Installed|kernel-firmware|noarch| None|2.6.27.12|170.2.5.fc10|/var/log/yum.log|
Feb 14 20:00:28|  Updated| kernel-headers|  i386| None|2.6.27.12|170.2.5.fc10|/var/log/yum.log|
Feb 14 20:15:11|Installed|   kernel-devel|  i686| None|2.6.27.12|170.2.5.fc10|/var/log/yum.log|
Feb 14 21:05:53|Installed|         kernel|  i686| None|2.6.27.12|170.2.5.fc10|/var/log/yum.log|
Feb 14 21:12:41|Installed|     kernel-PAE|  i686| None|2.6.27.12|170.2.5.fc10|/var/log/yum.log|

Querying the host's RPM database, finding packages by name with more than one installed:
[david@brick ~]$ squeal name, "count(*)" from rpm group by name having "count(*)>1"
                     name|count(*)|
-------------------------+--------+
               gpg-pubkey|       4|
jakarta-commons-validator|       2|
 java-1.6.0-openjdk-devel|       2|
                   kernel|       3|
             kernel-devel|       2|
               kernel-xen|       3|
                  libgnat|       2|
                  openssl|       2|

Looking in RPM database by vendor:
[david@brick ~]$ squeal vendor, "count(*)" from rpm group by vendor
            vendor|count(*)|
------------------+--------+
              None|      12|
    Fedora Project|    2042|
              Koji|       2|


Output as HTML:
$ squeal --format=html from rpm > test.html

Looking in sys logs:
$ squeal "count(*)", source from /var/log/messages* group by source order by "count(*)" desc

count(*)|source              |
--------+--------------------+
1633    |kernel              |
1324    |NetworkManager      |
98	|ntpd                |
70	|avahi-daemon        |
63	|dhclient            |
48	|setroubleshoot      |
39	|dnsmasq             |
29	|nm-system-settings  |
27	|bluetoothd          |
14	|/usr/sbin/gpm       |
13	|acpid               |
10	|init                |
9	|pcscd               |
9	|pulseaudio          |
6	|gnome-keyring-ask   |
6	|gnome-keyring-daemon|
6	|gnome-session       |
6	|rsyslogd            |
5	|rpc.statd           |
4	|vpnc                |
3	|gdm-session-worker  |
2	|auditd              |
2	|console-kit-daemon  |
2	|libvirtd            |
2	|rpcbind             |
1	|nm-dispatcher.action|
1	|restorecond         |


Other queries:
$ squeal /var/log/secure* where message like \"%authentication failure%\"

$ squeal /etc/yum.repos.d/*.repo where gpgcheck != \'"1"\'
$ squeal /etc/xinetd.d/*
$ squeal /etc/aliases
$ squeal /etc/inittab
$ squeal /etc/passwd where shell !=\'/sbin/nologin\'
