Are there field extractions available for IPlanet ...

ndoshi · ‎03-11-2013

Here's the fields followed by a description:

Hostname or IP address of client

arrow.a.com. (In this case, the hostname is shown because the web server's setting for DNS lookups is enabled; if DNS lookups were disabled, the client's IP address would appear.

RFC 931 information

(RFC 931 identity not implemented)

Username

john (username entered by the client for authentication)

Date/time of request

29/Mar/1999:4:36:53 -0800

Request

GET /help

Protocol

HTTP/1.0

Status code

401

Bytes transferred

571

kvaga · ‎06-10-2018

Hello! I have more than five implementations of iplanet log files format string. Because a format of any web access log depends on the administrator who manages server.
Give me a few rows of your own log file and I'll give you exact string of field extraction

scruse · ‎12-18-2018

@kvaga i have a similar issue, how can i provide you with a sanitized sample so i dont repeat work already completed on this tech

ndoshi · ‎03-11-2013

Try these in props.conf

[iplanet]
EXTRACT-myfields=^(?.?[^\s])\s-\s(?.?[^\s])\s[(?.?)]\s\"(?\w+)\s(?.?[^\s])\s(?.*?)"\s(?\d+)\s(?\d+)\s(?\d+)

ndoshi · ‎03-11-2013

BTW, the other field is probably not needed. It's there in case you have some integer at the end of the event that is unaccounted for.

Are there field extractions available for IPlanet web access logs?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life