Solved: create custom source type

Edmondi · ‎07-20-2013

I'm having trouble understanding how to create customer fields for my application logs. My logs have the following fields:

Timestamp SourceIP Token HTTP.Method URL Query.String Post.Data User.Agent

Delimiter is the TAB character.
I need to discard sourceIP in the indexing process.
The Token is a 24 characters string
Depending on the http method the Query.String and Post.Data are optional.

Can you please help me with a custom "pattern or regex" or "props.conf".

Thank you,
Edmond.

Ayn · ‎07-21-2013

There are excellent docs on this: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

View solution in original post

Ayn · ‎07-21-2013

There are excellent docs on this: http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Edmondi · ‎07-21-2013

Thanks Ayn.
I did see some general topic on other documents but this type of explanations I didn't find. If I will have further queries I will come back here :).

Edmondi · ‎07-21-2013

Get method without query.string:

2013-07-20 10:56:54,188 62.75.10.167 tQxfxrcFuj=kdjxmxuq.R5ka GET /root/index.html Mozilla/5.0 (Linux; Android

Get method with query.string:

2013-07-20 10:57:14,764 62.75.10.167 tQxfxrcFu=Akdjxmx,qpR5ka GET /root/liquide.html language=en_US Mozilla/5.0 (Linux; Android

Post method:

2013-07-20 15:05:49,007 62.75.10.158 B52Je4k-XRCVPXm2JUzH8BZ3 POST /office/buy.html &tel_phone=123456789012&amount=123456&personal.token.name=personal.token&personal.token=ER6XEIF6JHLI620Y8KR3IZWSGF7IGCRZ Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 NokiaE71-1

Thanks

create custom source type

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor