topic Re: extracting ip details from apache logs in Getting Data In

extracting ip details from apache logs

adriangoodhead7 — Mon, 25 Nov 2013 11:30:54 GMT

Hi all, i'm new to splunk. I've managed to get it set up and imported a load of Apache log files. When I search by host, it shows all the logs but I can't quite work out the next step.

Ultimately I would like to produce a chart/graph of the number of times an ip address appers in the events, and splunk has correctly identified the date/time stamp, and sorted accordingly. I can see the ip addresses in the event (, but can't work out how to get the data into a graph format.

There doesn't seem to be a IP address field, how do I use splunk to extract the IP addresses from the logs?

I'm sure this is quite a basic thing to do, i'll continue my research online.

Thanks.

Re: extracting ip details from apache logs

adriangoodhead7 — Mon, 25 Nov 2013 11:32:02 GMT

Here is an entry from splunk

65.55.52.111 - - [18/Nov/2013:20:50:42 -0700] "GET acme.com/~fb872661/ HTTP/1.1" 200 6374 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0 "redirect-handler" "/var/chroot/home/content/20/11043820/html/index.php" 228881

Re: extracting ip details from apache logs

martin_mueller — Mon, 25 Nov 2013 11:49:58 GMT

Take a look at the search tutorial: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

These kinds of questions are answered and explained there, even using access logs as an example.

Re: extracting ip details from apache logs

somesoni2 — Mon, 25 Nov 2013 16:51:19 GMT

You can include following in your search to extract the IP address at search time and use this field in your charting search.

your base search| rex  "(?<IP_address>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | your chart search using field IP_address

Re: extracting ip details from apache logs

adriangoodhead7 — Fri, 29 Nov 2013 14:27:41 GMT

I changed the source type to "access_combined" and now its sorted, thanks 😉