Hi all, i'm new to splunk. I've managed to get it set up and imported a load of Apache log files. When I search by host, it shows all the logs but I can't quite work out the next step.
Ultimately I would like to produce a chart/graph of the number of times an ip address appers in the events, and splunk has correctly identified the date/time stamp, and sorted accordingly. I can see the ip addresses in the event (, but can't work out how to get the data into a graph format.
There doesn't seem to be a IP address field, how do I use splunk to extract the IP addresses from the logs?
I'm sure this is quite a basic thing to do, i'll continue my research online.
Thanks.
I changed the source type to "access_combined" and now its sorted, thanks 😉
I changed the source type to "access_combined" and now its sorted, thanks 😉
You can include following in your search to extract the IP address at search time and use this field in your charting search.
your base search| rex "(?<IP_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | your chart search using field IP_address
Take a look at the search tutorial: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
These kinds of questions are answered and explained there, even using access logs as an example.
Here is an entry from splunk
65.55.52.111 - - [18/Nov/2013:20:50:42 -0700] "GET acme.com/~fb872661/ HTTP/1.1" 200 6374 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0 "redirect-handler" "/var/chroot/home/content/20/11043820/html/index.php" 228881