I haven't been able to find definitions of the access_combined source type fields. Does anyone know where they might exist? Thanks!
The extractions are found in configuration files in $SPLUNK_HOME/etc/system/default/
props.conf (from where the extraction is called)
REPORT-access = access-extractions
transforms.conf (where it actually happens)
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query,
version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining c
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[acce
Whatever you do, don't modify any file in a 'default' directory.
View solution in original post