Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do a field extraction for an Apache access log?

krishnacasso
Path Finder
‎11-11-2016 07:33 AM

Here are the sample events how the apache log looks like,

198.89.160.140 - - [10/Nov/2016:19:31:31 -0500] 48532 "GET /abc/def/ghi HTTP/1.1" 200 83 "-" "-"
198.89.160.140,123.456.789,10.11.12.134 - - [10/Nov/2016:19:31:35 -0500] 47152 "GET /bcf/dek/ghc HTTP/1.1" 200 73 "-" "-"

The format of the log is defined as "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\".

1. %h               -   clientIP
2. %l               -   IdentityCheck
3. %u               -   REMOTE_USER

4. %t               -   
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit


5. \"%r\            - method
6. %>s              -statuscode
7. %b               -size   
8. \"%{Referer}i\   -Referer    
9. \"%{User-Agent}i\-Useragent

10. List item

When I tried field extraction for the first field it is not taking all 3 IP, instead it is taking the only 1 IP which is wrong.
Did any one tried this? Can some guide how to get the fields in format above so I can build few dashboards?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rdimri_splunk
Splunk Employee
Splunk Employee
‎11-11-2016 09:04 AM

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-11-2016 07:45 AM

Hi krishnacasso,
with the following regex you can extract IPs:
one from the first row and two from the second (only two IPs because the second block is composed by three numbers!):

(?<IP>\d+\.\d+\.\d+\.\d+)

see test at https://regex101.com/r/IoUiQy/1

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...