How can I add two new fields to my logs?

romgo75 · ‎08-28-2017

Hello,

On my servers I used combined Apache logs, but I added two other fields at the end of the logs : SSL_PROTOCOL and X-Forwarded-For

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{X-Forwarded-For}i" combined

The logs look like this :

192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2

or
192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2 192.168.2.1 192.168.6.2

With default access_combined sourcetype the PROTOCOL and X-Forwarded are located in other fields. But I would like to add two new fields for that like TLS_version and xforwarded.

Any idea on how to do this ?

regards

romgo75 · ‎11-16-2017

I will answer to my own question :

just with using extractor field with regexp I was able to create those two new fields.

niketn · ‎11-16-2017

@romgo75, please go ahead and accept your own answer to mark this question as answered. For reference, following is the link to Splunk Docs for Interactive Field Extraction in Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How can I add two new fields to my logs?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...