https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20719#M3036 <P>By default, Splunk should extract the standard fields for sourcetypes access_combined, access_combined_wcookie and access_common using the regex in transforms.conf called access-extractions.</P> <P>Since it's not parsing the data, it probably means that the regex isn't matching your log lines. If you paste a sample line, someone on answers should be able to point out why the extraction fails. Alternately, you can copy the extraction called access-extraction from etc/system/default/transforms.conf to etc/system/local/transforms.conf and tweak it to extract your fields.</P> Wed, 28 Jul 2010 00:48:47 GMT Stephen_Sorkin 2010-07-28T00:48:47Z https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20718#M3035 <P>Hello,</P> <P>I have recently configured a Splunk light forwarder to monitor an apache access_log. I specified that the file being watched be recognized as an 'access_common' sourcetype. We are using the standard apache output.</P> <P>Unfortunately, this pre-trained sourcetype does not seem to be parsing the fields in the log data. Is there something else I need to configure? I was under the impression that things like the IP address would be automatically assigned to a field...</P> <P>Thanks</P> Tue, 27 Jul 2010 06:46:43 GMT https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20718#M3035 sf_user_199 2010-07-27T06:46:43Z https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20719#M3036 <P>By default, Splunk should extract the standard fields for sourcetypes access_combined, access_combined_wcookie and access_common using the regex in transforms.conf called access-extractions.</P> <P>Since it's not parsing the data, it probably means that the regex isn't matching your log lines. If you paste a sample line, someone on answers should be able to point out why the extraction fails. Alternately, you can copy the extraction called access-extraction from etc/system/default/transforms.conf to etc/system/local/transforms.conf and tweak it to extract your fields.</P> Wed, 28 Jul 2010 00:48:47 GMT https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20719#M3036 Stephen_Sorkin 2010-07-28T00:48:47Z https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20720#M3037 <P>Thanks - I moved the extraction to /local/transforms.conf and then removed one of the extractions - everything then worked.</P> Tue, 03 Aug 2010 05:46:54 GMT https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20720#M3037 sf_user_199 2010-08-03T05:46:54Z https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20721#M3038 <P>which extraction did you remove?</P> Tue, 17 Jun 2014 15:50:35 GMT https://community.splunk.com/t5/Getting-Data-In/apache-access-common-sourcetype-not-working/m-p/20721#M3038 wrangler2x 2014-06-17T15:50:35Z