I'm trying to define a custom set of fields for a sourcetype and am finding that the "train" command is a) tedious b) doesn't work. Here's the basic format of my apache log:
LogFormat "%h %l %u %t %P \"%r\" %>s %X %b %I %O %D \"%{Referer}i\" \"%{User-Agent}i\" \"%{Host}i\" \"%{X-Forwarded-For}i\" \"%{X-Cluster-Client-IP}i\" \"%{True-Client-IP}i\" \"%{Via}i\" \"%{Akamai-Origin-Hop}i\""
I just want a way to create a definition from this that extracts these fields and am not finding a good way to do this. Am I missing something?
... View more