Hello,
I have recently configured a Splunk light forwarder to monitor an apache access_log. I specified that the file being watched be recognized as an 'access_common' sourcetype. We are using the standard apache output.
Unfortunately, this pre-trained sourcetype does not seem to be parsing the fields in the log data. Is there something else I need to configure? I was under the impression that things like the IP address would be automatically assigned to a field...
Thanks
By default, Splunk should extract the standard fields for sourcetypes access_combined, access_combined_wcookie and access_common using the regex in transforms.conf called access-extractions.
Since it's not parsing the data, it probably means that the regex isn't matching your log lines. If you paste a sample line, someone on answers should be able to point out why the extraction fails. Alternately, you can copy the extraction called access-extraction from etc/system/default/transforms.conf to etc/system/local/transforms.conf and tweak it to extract your fields.
By default, Splunk should extract the standard fields for sourcetypes access_combined, access_combined_wcookie and access_common using the regex in transforms.conf called access-extractions.
Since it's not parsing the data, it probably means that the regex isn't matching your log lines. If you paste a sample line, someone on answers should be able to point out why the extraction fails. Alternately, you can copy the extraction called access-extraction from etc/system/default/transforms.conf to etc/system/local/transforms.conf and tweak it to extract your fields.
which extraction did you remove?
Thanks - I moved the extraction to /local/transforms.conf and then removed one of the extractions - everything then worked.