https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439809#M76700 <P>Here are the details:</P> <PRE><CODE>| makeresults | eval _raw = "1.1.1.1 80 - [07/Aug/2019:21:43:37 +0000] \"GET /demo_bin/resource.php?command= space and another space and some more spaces in between HTTP/1.1\" 400 583 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\" \"-\" \"-\"" | rename COMMENT AS "This is 'access-extractions' from '/opt/splunk/etc/system/local/transforms.conf'" | rename COMMENT AS "^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++\"(?&lt;referer&gt;[[bc_domain:referer_]]?+[^\"]*+)\"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]" | rename COMMENT AS "This is 'access-request' from '/opt/splunk/etc/system/local/transforms.conf'" | rename COMMENT AS "\s*+[[reqstr:method]]?(?:\s++[[bc_uri]](?:\s++[[reqstr:version]])*)?\s*+" | rename COMMENT AS "This is 'bc_uri' from '/opt/splunk/etc/system/local/transforms.conf'" | rex "(?&lt;uri&gt;[[bc_domain:uri_]]?+(?&lt;uri_path&gt;[[uri_root]]?[[uri_seg]]*(?&lt;file&gt;[^\s\?/]+)?)(?:\?(?&lt;uri_query&gt;[^\s]*))?)" | rex mode=sed "s/.*\"\w+\s+//" | rename COMMENT AS "Let's modify it to fix it..." | rex "(?&lt;uri&gt;[[bc_domain:uri_]]?+(?&lt;uri_path&gt;[[uri_root]]?[[uri_seg]]*(?&lt;file&gt;[^\s\?/]+)?)(?:\?(?&lt;uri_query&gt;[^\s]*(?:\s+[^\"]+))?)?)" </CODE></PRE> <P>So you need to create an updated definition for <CODE>bc_uri</CODE> along the lines of what I did in the last line above and put it someplace where the <CODE>transforms.conf</CODE> will have <CODE>global</CODE> scope <CODE>preferences</CODE>.</P> Fri, 16 Aug 2019 20:28:23 GMT woodcock 2019-08-16T20:28:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439806#M76697 <P>I recently discovered the access_combined field definitions don't properly parse the <CODE>uri</CODE> fields if it includes a space. I understand the reasoning as spaces are largely regarded as invalid and should be escaped with %20 – however that shouldn't have any bearing on parsing the result in Splunk.</P> <P>How can I modify the <CODE>access_combined</CODE> field definitions via <CODE>transforms.conf</CODE> to include spaces in the <CODE>uri</CODE> field?</P> <P>Example event with spaces in the <CODE>uri</CODE>:</P> <PRE><CODE>1.1.1.1 80 - [07/Aug/2019:21:43:37 +0000] "GET /demo_bin/resource.php?command= space and another space and some more spaces in between HTTP/1.1" 400 583 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-" "-" </CODE></PRE> Thu, 08 Aug 2019 00:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439806#M76697 orion44 2019-08-08T00:56:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439807#M76698 <P>It is not common for spaces to even exist so you would have to post some sample raw events if you'd like anybody to help.</P> Thu, 08 Aug 2019 01:22:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439807#M76698 woodcock 2019-08-08T01:22:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439808#M76699 <P>Updated question to include example event</P> Thu, 08 Aug 2019 01:46:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439808#M76699 orion44 2019-08-08T01:46:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439809#M76700 <P>Here are the details:</P> <PRE><CODE>| makeresults | eval _raw = "1.1.1.1 80 - [07/Aug/2019:21:43:37 +0000] \"GET /demo_bin/resource.php?command= space and another space and some more spaces in between HTTP/1.1\" 400 583 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\" \"-\" \"-\"" | rename COMMENT AS "This is 'access-extractions' from '/opt/splunk/etc/system/local/transforms.conf'" | rename COMMENT AS "^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++\"(?&lt;referer&gt;[[bc_domain:referer_]]?+[^\"]*+)\"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]" | rename COMMENT AS "This is 'access-request' from '/opt/splunk/etc/system/local/transforms.conf'" | rename COMMENT AS "\s*+[[reqstr:method]]?(?:\s++[[bc_uri]](?:\s++[[reqstr:version]])*)?\s*+" | rename COMMENT AS "This is 'bc_uri' from '/opt/splunk/etc/system/local/transforms.conf'" | rex "(?&lt;uri&gt;[[bc_domain:uri_]]?+(?&lt;uri_path&gt;[[uri_root]]?[[uri_seg]]*(?&lt;file&gt;[^\s\?/]+)?)(?:\?(?&lt;uri_query&gt;[^\s]*))?)" | rex mode=sed "s/.*\"\w+\s+//" | rename COMMENT AS "Let's modify it to fix it..." | rex "(?&lt;uri&gt;[[bc_domain:uri_]]?+(?&lt;uri_path&gt;[[uri_root]]?[[uri_seg]]*(?&lt;file&gt;[^\s\?/]+)?)(?:\?(?&lt;uri_query&gt;[^\s]*(?:\s+[^\"]+))?)?)" </CODE></PRE> <P>So you need to create an updated definition for <CODE>bc_uri</CODE> along the lines of what I did in the last line above and put it someplace where the <CODE>transforms.conf</CODE> will have <CODE>global</CODE> scope <CODE>preferences</CODE>.</P> Fri, 16 Aug 2019 20:28:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-modify-access-combined-field-definitions-to-include/m-p/439809#M76700 woodcock 2019-08-16T20:28:23Z