https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57691#M14066 <P>BTW, the other field is probably not needed. It's there in case you have some integer at the end of the event that is unaccounted for.</P> Mon, 11 Mar 2013 20:18:26 GMT ndoshi 2013-03-11T20:18:26Z https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57689#M14064 <P>Here's the fields followed by a description:</P> <P>Hostname or IP address of client </P> <P>arrow.a.com. (In this case, the hostname is shown because the web server's setting for DNS lookups is enabled; if DNS lookups were disabled, the client's IP address would appear. </P> <P>RFC 931 information </P> <UL> <LI>(RFC 931 identity not implemented)<BR /></LI> </UL> <P>Username </P> <P>john (username entered by the client for authentication) </P> <P>Date/time of request </P> <P>29/Mar/1999:4:36:53 -0800 </P> <P>Request </P> <P>GET /help </P> <P>Protocol </P> <P>HTTP/1.0 </P> <P>Status code </P> <P>401 </P> <P>Bytes transferred </P> <P>571 </P> Mon, 11 Mar 2013 19:54:51 GMT https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57689#M14064 ndoshi 2013-03-11T19:54:51Z https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57690#M14065 <P>Try these in props.conf</P> <P>[iplanet]<BR /> EXTRACT-myfields=^(?<CLIENTIP>.<EM>?[^\s])\s-\s(?<USER>.</USER></EM>?[^\s])\s[(?<REQ_TIME>.<EM>?)]\s\"(?<METHOD>\w+)\s(?<URI_PATH>.</URI_PATH></METHOD></EM>?[^\s])\s(?<PROTOCOL>.*?)"\s(?<STATUS>\d+)\s(?<BYTES>\d+)\s(?<OTHER>\d+)</OTHER></BYTES></STATUS></PROTOCOL></REQ_TIME></CLIENTIP></P> Mon, 11 Mar 2013 19:55:38 GMT https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57690#M14065 ndoshi 2013-03-11T19:55:38Z https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57691#M14066 <P>BTW, the other field is probably not needed. It's there in case you have some integer at the end of the event that is unaccounted for.</P> Mon, 11 Mar 2013 20:18:26 GMT https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57691#M14066 ndoshi 2013-03-11T20:18:26Z https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57692#M14067 <P>Hello! I have more than five implementations of iplanet log files format string. Because a format of any web access log depends on the administrator who manages server.<BR /> Give me a few rows of your own log file and I'll give you exact string of field extraction</P> Sun, 10 Jun 2018 16:53:44 GMT https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57692#M14067 kvaga 2018-06-10T16:53:44Z https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57693#M14068 <P>@kvaga i have a similar issue, how can i provide you with a sanitized sample so i dont repeat work already completed on this tech</P> Tue, 18 Dec 2018 15:32:26 GMT https://community.splunk.com/t5/Splunk-Search/Are-there-field-extractions-available-for-IPlanet-web-access/m-p/57693#M14068 scruse 2018-12-18T15:32:26Z