All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for AWS: How to adjust the regular expression in props.conf to extract fields in ELB Access Logs?

klaxdal
Contributor
‎01-23-2017 08:58 AM

Hi All .

Really need some help with this one .

I had to adjust the regex within props.conf to extract the field for all ELB's correctly ( see below ) 

^(?P<timestamp>[^ ]+)[^ \n]* (?P<elb>[^ ]+)\s+(?P<client_ip>[^:]+):(?P<client_port>\d+)\s+(?P<backend>[^ ]+)\s+(?P<request_processing_time>[^ ]+)\s+(?P<backend_processing_time>[^ ]+)\s+(?P<response_processing_time>\d+\.\d+)\s+(?P<elb_status_code>\d+)\s+(?P<backend_status_code>\d+)\s+(?P<received_bytes>\d+)\s+(?P<sent_bytes>\d+)\s+"(?P<request>[^"]+)"\s+"(?P<user_agent>\-)"\s+(?P<ssl_cipher>[^ ]+)\s+(?P<ssl_protocol>.+)

Everything populates correctly in the dashboard with exception of elb_status_code and backend_status_code - any insight into what I have missed or done wrong would be greatly appreciated.

Thanks !

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adayton20
Contributor
‎01-24-2017 04:11 AM

If the value of elb_status_code is always followed by the key "eventtype" in each of those events, you could try something like this:

elb_status_code\s\=\s(?P<elb_status_code>.[^eventtype]*)

Worked for me:
alt text

Also, as knielsen mentioned, the value of elb_status_code is "-"in the log sample you provided us.

View solution in original post

Preview file
47 KB
0 Karma
Reply
Solved! Jump to solution
Solution

adayton20
Contributor
‎01-24-2017 04:11 AM

If the value of elb_status_code is always followed by the key "eventtype" in each of those events, you could try something like this:

elb_status_code\s\=\s(?P<elb_status_code>.[^eventtype]*)

Worked for me:
alt text

Also, as knielsen mentioned, the value of elb_status_code is "-"in the log sample you provided us.

Preview file
47 KB
0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎01-24-2017 05:44 AM

Glad I could help 🙂

0 Karma
Reply
Solved! Jump to solution

klaxdal
Contributor
‎01-24-2017 05:06 AM

That did the trick ! Your the "Regex Whisperer"

Thanks adayton20 !

I can now see all 16 ELBs and the dashboard is populating with the required information .

0 Karma
Reply
Solved! Jump to solution

krisrmal
Engager
‎08-20-2020 01:15 AM

Hi @klaxdal 

Would you be able to share the props.conf config block you have added to ingest ELB logs. Currently I'm experiencing similar issue, where I cannot parse the logs properly. Thanks!

0 Karma
Reply
Solved! Jump to solution

adayton20
Contributor
‎01-23-2017 09:09 AM

Could you post a sample of the event data?

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...