Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do a field extraction for an Apache access log?

krishnacasso
Path Finder
‎11-11-2016 07:33 AM

Here are the sample events how the apache log looks like,

198.89.160.140 - - [10/Nov/2016:19:31:31 -0500] 48532 "GET /abc/def/ghi HTTP/1.1" 200 83 "-" "-"
198.89.160.140,123.456.789,10.11.12.134 - - [10/Nov/2016:19:31:35 -0500] 47152 "GET /bcf/dek/ghc HTTP/1.1" 200 73 "-" "-"

The format of the log is defined as "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\".

1. %h               -   clientIP
2. %l               -   IdentityCheck
3. %u               -   REMOTE_USER

4. %t               -   
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit


5. \"%r\            - method
6. %>s              -statuscode
7. %b               -size   
8. \"%{Referer}i\   -Referer    
9. \"%{User-Agent}i\-Useragent

10. List item

When I tried field extraction for the first field it is not taking all 3 IP, instead it is taking the only 1 IP which is wrong.
Did any one tried this? Can some guide how to get the fields in format above so I can build few dashboards?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rdimri_splunk
Splunk Employee
Splunk Employee
‎11-11-2016 09:04 AM

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...