Dashboards & Visualizations

How to do a field extraction for an Apache access log?

krishnacasso
Path Finder

Here are the sample events how the apache log looks like,

198.89.160.140 - - [10/Nov/2016:19:31:31 -0500] 48532 "GET /abc/def/ghi HTTP/1.1" 200 83 "-" "-"
198.89.160.140,123.456.789,10.11.12.134 - - [10/Nov/2016:19:31:35 -0500] 47152 "GET /bcf/dek/ghc HTTP/1.1" 200 73 "-" "-"

The format of the log is defined as "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\".

1. %h               -   clientIP
2. %l               -   IdentityCheck
3. %u               -   REMOTE_USER

4. %t               -   
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit


5. \"%r\            - method
6. %>s              -statuscode
7. %b               -size   
8. \"%{Referer}i\   -Referer    
9. \"%{User-Agent}i\-Useragent

10. List item

When I tried field extraction for the first field it is not taking all 3 IP, instead it is taking the only 1 IP which is wrong.
Did any one tried this? Can some guide how to get the fields in format above so I can build few dashboards?

Thanks!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

View solution in original post

0 Karma

rdimri_splunk
Splunk Employee
Splunk Employee

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...