Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do a field extraction for an Apache access log?

krishnacasso
Path Finder
‎11-11-2016 07:33 AM

Here are the sample events how the apache log looks like,

198.89.160.140 - - [10/Nov/2016:19:31:31 -0500] 48532 "GET /abc/def/ghi HTTP/1.1" 200 83 "-" "-"
198.89.160.140,123.456.789,10.11.12.134 - - [10/Nov/2016:19:31:35 -0500] 47152 "GET /bcf/dek/ghc HTTP/1.1" 200 73 "-" "-"

The format of the log is defined as "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\".

1. %h               -   clientIP
2. %l               -   IdentityCheck
3. %u               -   REMOTE_USER

4. %t               -   
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit


5. \"%r\            - method
6. %>s              -statuscode
7. %b               -size   
8. \"%{Referer}i\   -Referer    
9. \"%{User-Agent}i\-Useragent

10. List item

When I tried field extraction for the first field it is not taking all 3 IP, instead it is taking the only 1 IP which is wrong.
Did any one tried this? Can some guide how to get the fields in format above so I can build few dashboards?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rdimri_splunk
Splunk Employee
Splunk Employee
‎11-11-2016 09:04 AM

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...