All Apps and Add-ons

Easy way to add access_combined to the Web Data Model

sloshburch
Splunk Employee
Splunk Employee

This question is not just asking about how to generally add data to a CIM (http://docs.splunk.com/Documentation/CIM/latest/User/UsetheCIMtonormalizedataatsearchtime)

Many apps come with sourcetypes predefined and ready to go with eventtypes and tags so they work with Common Information Model Data Models immediately (AWS TA for example). I'm not seeing anything like that for access_combined. Am I missing something obvious here? If there exists a definition of the eventtype, tags, field aliases, etc.. then I'd love to use that instead of building it on my own.

1 Solution

gfuente
Motivator

Have you checked this addon?

https://splunkbase.splunk.com/app/3186/#/overview

You may just need to change the sourcetype to apache:access

Reagrds

View solution in original post

aivarson_splunk
Splunk Employee
Splunk Employee

Just created an add-on for this in case you don't want to change your sourcetype from the out of the box access_combined: https://splunkbase.splunk.com/app/3434/

sloshburch
Splunk Employee
Splunk Employee

I'll check it out. Assuming it works I'll probably switch the accepted answer to this one.

0 Karma

gfuente
Motivator

Have you checked this addon?

https://splunkbase.splunk.com/app/3186/#/overview

You may just need to change the sourcetype to apache:access

Reagrds

sloshburch
Splunk Employee
Splunk Employee
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Thanks. I'm also reaching out to the docs team to ask them to reference https://splunkbase.splunk.com/apps/#/page/1/search/CIM-compatible/order/relevance/supported/splunk if not done already. I think it's good to highlight those options.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...