Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- create custom source type
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having trouble understanding how to create customer fields for my application logs. My logs have the following fields:
Timestamp SourceIP Token HTTP.Method URL Query.String Post.Data User.Agent
- Delimiter is the TAB character.
- I need to discard sourceIP in the indexing process.
- The Token is a 24 characters string
- Depending on the http method the Query.String and Post.Data are optional.
Can you please help me with a custom "pattern or regex" or "props.conf".
Thank you,
Edmond.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are excellent docs on this: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Createandmaintainsearch-timefieldextract...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are excellent docs on this: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Createandmaintainsearch-timefieldextract...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ayn.
I did see some general topic on other documents but this type of explanations I didn't find. If I will have further queries I will come back here :).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get method without query.string:
2013-07-20 10:56:54,188 62.75.10.167 tQxfxrcFuj=kdjxmxuq.R5ka GET /root/index.html Mozilla/5.0 (Linux; Android
Get method with query.string:
2013-07-20 10:57:14,764 62.75.10.167 tQxfxrcFu=Akdjxmx,qpR5ka GET /root/liquide.html language=en_US Mozilla/5.0 (Linux; Android
Post method:
2013-07-20 15:05:49,007 62.75.10.158 B52Je4k-XRCVPXm2JUzH8BZ3 POST /office/buy.html &tel_phone=123456789012&amount=123456&personal.token.name=personal.token&personal.token=ER6XEIF6JHLI620Y8KR3IZWSGF7IGCRZ Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-1
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
