topic Re: cannot find sourcetype squid in Getting Data In

cannot find sourcetype squid

njathan — Wed, 28 Jul 2010 19:36:34 GMT

I am trying to analyse a squid access log for top 10 reports (top sources, top destinations, etc.)

I imported the log file in Manager » Data inputs » Files & Directories » Add New

When i keep the sourcetype=automatic, it does not seem to identify the source destination etc fields... just bundles them into one huge field, which is useless.

Elsewhere in this forum, i found someone's using sourcetype=squid_access. Where is this available for the latest version (4.1.4)? If not this, what is the best way of analysing squid logs in splunk?

Re: cannot find sourcetype squid

rroberts — Wed, 28 Jul 2010 20:45:26 GMT

When you set sourcetype to manual you should be able to type squid_access in the box below.

Re: cannot find sourcetype squid

njathan — Wed, 28 Jul 2010 22:49:03 GMT

the 'drop-down' list appears when i choose the 'From list' option in the 'Set sourcetype' section... Manual sourcetype does not give any listing...

Re: cannot find sourcetype squid

njathan — Mon, 28 Sep 2020 09:15:27 GMT

actually manually typing access_squid does not help in that fields like TCP_MISS/200, CONNECT, http://mail.google.com etc in the log dont get classified into separate fields. Tried the 'extract fields' options, but i am poor at regex, and would be helpful if there is a ready plugin that lets splunk categorize the fields accordingly. (Which is not happening right now.)

Re: cannot find sourcetype squid

rroberts — Thu, 29 Jul 2010 04:07:49 GMT

I see what you mean now have you seen this doc? http://www.splunk.com/wiki/Community:Field_extractions_for_Squid_data
There is a props.conf and transforms.conf example for squid field extraction that might be helpful.

Re: cannot find sourcetype squid

njathan — Fri, 30 Jul 2010 22:05:04 GMT

thanks rroberts 🙂