Dashboards & Visualizations

How to do a field extraction for an Apache access log?

krishnacasso
Path Finder

Here are the sample events how the apache log looks like,

198.89.160.140 - - [10/Nov/2016:19:31:31 -0500] 48532 "GET /abc/def/ghi HTTP/1.1" 200 83 "-" "-"
198.89.160.140,123.456.789,10.11.12.134 - - [10/Nov/2016:19:31:35 -0500] 47152 "GET /bcf/dek/ghc HTTP/1.1" 200 73 "-" "-"

The format of the log is defined as "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\".

1. %h               -   clientIP
2. %l               -   IdentityCheck
3. %u               -   REMOTE_USER

4. %t               -   
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit


5. \"%r\            - method
6. %>s              -statuscode
7. %b               -size   
8. \"%{Referer}i\   -Referer    
9. \"%{User-Agent}i\-Useragent

10. List item

When I tried field extraction for the first field it is not taking all 3 IP, instead it is taking the only 1 IP which is wrong.
Did any one tried this? Can some guide how to get the fields in format above so I can build few dashboards?

Thanks!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

View solution in original post

0 Karma

rdimri_splunk
Splunk Employee
Splunk Employee

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...