Hello, I have what may or may not be a bit of a unique issue regarding extracted fields.
We've got a few webservers and we use a relatively unique custom log format, so I've had to manually extract fields. One of the fields is the HTTP header hostname that Apache sees.
The issue is this: We have several sites with multiple hostnames that all serve the same content. For example:
www.domain.com
origin-www.domain.com
The CustomLog in Apache shows both hostnames in their respective log lines, so Splunk does as well.
This results in our Splunk generated graphs showing both fields separately, rather than combined, which results in incorrect numbers (hits/sec, etc).
What I need is to combine those two. In other words, I want splunk to combine the origin-www.domain.com field with the www.domain.com field.
Any ideas on how this can be done?
... View more