https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98457#M20574 <P>Hi,</P> <P>I have apache access log with this pattern: </P> <P>%h %t '%r' '%q' %s %b %D %S %U %v %{User-Agent}i</P> <P>{text:ip} [{date:Date,dd/MMM/yyyy:HH:mm:ss z}] '{string:HTTP Request Method' '{string:Query String}' {number:Response Code} {string:Bytes Sent} {number:Request Processing Time} {string:User Session ID} {string:Requested URL Path} {string:Local Server Name} {string:User Agent}</P> <P>i'm struggling to parse the data using regular expression and the overall process how to parse the file. </P> <P>Here is an example data from the log:<BR /> 88.117.159.10 [22/Jan/2013:10:57:21 +0100] 'GET /dealers/actions.do HTTP/1.1' '' 200 69068 56 64EB37C2102324BD81E0E0B93243C2232 /dealers/actions.do <A href="http://www.simpledns.com">www.simpledns.com</A> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 </P> <P>any kind of help will be appreciated. </P> Thu, 24 Jan 2013 14:04:06 GMT shoautorola 2013-01-24T14:04:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98457#M20574 <P>Hi,</P> <P>I have apache access log with this pattern: </P> <P>%h %t '%r' '%q' %s %b %D %S %U %v %{User-Agent}i</P> <P>{text:ip} [{date:Date,dd/MMM/yyyy:HH:mm:ss z}] '{string:HTTP Request Method' '{string:Query String}' {number:Response Code} {string:Bytes Sent} {number:Request Processing Time} {string:User Session ID} {string:Requested URL Path} {string:Local Server Name} {string:User Agent}</P> <P>i'm struggling to parse the data using regular expression and the overall process how to parse the file. </P> <P>Here is an example data from the log:<BR /> 88.117.159.10 [22/Jan/2013:10:57:21 +0100] 'GET /dealers/actions.do HTTP/1.1' '' 200 69068 56 64EB37C2102324BD81E0E0B93243C2232 /dealers/actions.do <A href="http://www.simpledns.com">www.simpledns.com</A> Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 </P> <P>any kind of help will be appreciated. </P> Thu, 24 Jan 2013 14:04:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98457#M20574 shoautorola 2013-01-24T14:04:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98458#M20575 <P>Have you tried using the default sourcetypes for access logs? If you assign the sourcetype of access_combined for example Splunk should automatically create the fields for you. Just change the sourcetype in your inputs.conf setting for that file monitor and restart splunk.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes">http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes</A></P> <P>In case you run into any issues there are a lot of other postings you can look at here to see if one can help you as well:</P> <P><A href="http://splunk-base.splunk.com/search/?q=apache&amp;Submit=Search">http://splunk-base.splunk.com/search/?q=apache&amp;Submit=Search</A></P> Thu, 24 Jan 2013 14:18:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98458#M20575 sdaniels 2013-01-24T14:18:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98459#M20576 <P>it can't parse when i choose existing source type access_combined except the timestamp. It can detect the time stamp only.</P> Thu, 24 Jan 2013 14:35:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98459#M20576 shoautorola 2013-01-24T14:35:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98460#M20577 <P>it's much easier to parse custom logs in XpoLog Center using simple wizard. Why not Splunk provide that? I'm evaluation splunk as one of our potential log management system to adopt in our company but seems it lack of some functionality that can make your life easier.</P> Thu, 24 Jan 2013 14:40:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98460#M20577 shoautorola 2013-01-24T14:40:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98461#M20578 <P>Create a specific sourcetype for your data, and define a search time field definition.<BR /> see <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/5.0.1/Admin/Transformsconf</A></P> <P>example: </P> <P>in props.conf</P> <P><CODE>[myapache]<BR /> REPORT-extract_myapache= extract_myapache<BR /> </CODE><BR /> and in transforms.conf<BR /> <CODE><BR /> [extract_myapache]<BR /> DELIMS = " "<BR /> FIELDS = "field1", "field2", "field3"<BR /> </CODE></P> Thu, 24 Jan 2013 15:26:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Parsing-Apache-Access-Log/m-p/98461#M20578 yannK 2013-01-24T15:26:14Z