Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Has anyone experienced this squid error with splunk_recommended_squid log format?

rsd0991
Engager
‎12-14-2022 09:03 AM

i am running Squid 5.2 and having an issue adding the splunk_recommended_squid log format to my squid configuration.  Pulled the log format right out of the splunk documentation.  i'll paste it at the end of this message.  When i try and start squid with that log format, i get an error:

" FATAL: Bungled /etc/squid/squid.conf line 11: logformat splunk_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%[ui" user="%[un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st sni="%ssl::>sni"

 

I haven't been able to find anything solid to help out with this.  has anyone else experienced this?

 

Thanks

-Rob

 

Labels (1)
Labels
0 Karma
Reply

Ludvik
Explorer
‎09-26-2023 10:52 AM

Yes, it has to do with a bad log format in Squid 😠 and no one updated the docs. I solved via Squid docs and process of elimination. I can't seem to get the ssl::sni to work at all but this is all of the options without ssl::sni. 

logformat splunk_recommended_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%ui" user="%un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st
Reply

josevg1981
Explorer
‎08-05-2025 05:17 AM

Ty men , sooo helpful . 

0 Karma
Reply

user4567654
Engager
‎10-05-2023 07:40 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...