Access_log delimiter problem

Norling80 · ‎10-10-2014

Hi

I have a JBoss access-log source with space as the delimiter between the fields, here is the log structure:
"%{Host}i %{X-Forwarded-For}i %{Referer}i %{User-agent}i %h %l %u %t %r %s %b

I have defined the sourcetype in props.conf and set the log structure in transforms.conf (see config below), my problem is that several of the fields in the logs contains space for example the UserAgent field and this mess up the entire import.

Any suggestions how to ignore the spaces within the different fields?

Current configuration:
Props.conf
[lcaccesslog]
SHOULD_LINEMERGE = False
pulldown_type = 1
REPORT-getfields = lcaccesslog_fields

Transforms.conf
[lcaccesslog_fields]
DELIMS=" "
FIELDS = "Host","X-ForwardedFor","Referer","UserAgent","RemoteHost","RemoteLogicalUserName","RemoteUser","DateTime","Method","StatusCode","BytesSent"

regards
/Magnus

peter_krammer · ‎10-10-2014

First of all, if possible change the log structure to something easier to analyse.
But if this is not possible here is something you can try:
Are the fields wrapped in either " or ' ?
Because than you could us a DELIMS="\" \"" or DELIMS="'"

if you can change the format use something like this:
field1="value1", field2="value2",...

Hope this helps.

Access_log delimiter problem

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life