https://community.splunk.com/t5/Splunk-Search/Custom-Apache-Log-RegEx/m-p/133688#M36509 <P>hello. I'll preference this with I'm not by any means a regex user.</P> <P>I'm working with a custom Apache format that Splunk 6 is not extracting correctly. I'm just loosely trying to assign each Apache field an identifier so it will populate interesting fields.</P> <P>LogFormat "%h %{forwarded}e %{host}i %t %D \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined</P> <P>log-example<BR /> 1.1.1.1 2.2.2.2 host.domain.com [07/Nov/2013:21:59:49 +0000] 88040 "GET /api/v3/projects HTTP/1.1" 200 82 "referer_URL_here_because_ask_site_won't_let_me_post" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0"</P> <P>I'm assigning the sourcetype on the UF as "access_custom". Here are my props and transforms. Any help would be greatly appreciated.</P> <P>[access_custom]<BR /> TRANSFORM-format=apache_format</P> <P>[apache_format]<BR /> REGEX=(.<EM>) (.</EM>) (.<EM>) [(.</EM>)] (.<EM>) \"(.</EM>)\" ([0-9]<EM>) ([0-9]</EM>) \"(.<EM>)\" \"(.</EM>)\"<BR /> FORMAT=remotehost::$1 clientip::$2 hostheader::$3 timestamp::$4 req_time::$5 url::$6 statuscode::$7 bytes::$8 referer::$9 user-agent::$10 </P> <P>thxs!</P> Mon, 28 Sep 2020 15:13:53 GMT ctripod 2020-09-28T15:13:53Z https://community.splunk.com/t5/Splunk-Search/Custom-Apache-Log-RegEx/m-p/133688#M36509 <P>hello. I'll preference this with I'm not by any means a regex user.</P> <P>I'm working with a custom Apache format that Splunk 6 is not extracting correctly. I'm just loosely trying to assign each Apache field an identifier so it will populate interesting fields.</P> <P>LogFormat "%h %{forwarded}e %{host}i %t %D \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined</P> <P>log-example<BR /> 1.1.1.1 2.2.2.2 host.domain.com [07/Nov/2013:21:59:49 +0000] 88040 "GET /api/v3/projects HTTP/1.1" 200 82 "referer_URL_here_because_ask_site_won't_let_me_post" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0"</P> <P>I'm assigning the sourcetype on the UF as "access_custom". Here are my props and transforms. Any help would be greatly appreciated.</P> <P>[access_custom]<BR /> TRANSFORM-format=apache_format</P> <P>[apache_format]<BR /> REGEX=(.<EM>) (.</EM>) (.<EM>) [(.</EM>)] (.<EM>) \"(.</EM>)\" ([0-9]<EM>) ([0-9]</EM>) \"(.<EM>)\" \"(.</EM>)\"<BR /> FORMAT=remotehost::$1 clientip::$2 hostheader::$3 timestamp::$4 req_time::$5 url::$6 statuscode::$7 bytes::$8 referer::$9 user-agent::$10 </P> <P>thxs!</P> Mon, 28 Sep 2020 15:13:53 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Apache-Log-RegEx/m-p/133688#M36509 ctripod 2020-09-28T15:13:53Z https://community.splunk.com/t5/Splunk-Search/Custom-Apache-Log-RegEx/m-p/133689#M36510 <PRE><CODE>[apache_format] REGEX=([\d\.]+)\s([\d\.]+)\s([\w\.]+)\s\[(\d+\/\w+\/\d+\:\d+\:\d+\:\d+\s\+\d+)]\s(\d+)\s\"(\w\/\s\.)\"\s(\d+)\s(\d+)\s\"([\w\-]+)\"\s\"([\w\d\.\;\,\/\\\s\:])\\(\)" FORMAT=remotehost::$1 clientip::$2 hostheader::$3 timestamp::$4 req_time::$5 url::$6 statuscode::$7 bytes::$8 referer::$9 user-agent::$10 </CODE></PRE> Thu, 07 Nov 2013 23:51:31 GMT https://community.splunk.com/t5/Splunk-Search/Custom-Apache-Log-RegEx/m-p/133689#M36510 ShaneNewman 2013-11-07T23:51:31Z