Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: access_combined Field Definitions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sjwone
Explorer
10-18-2013
01:08 PM
I haven't been able to find definitions of the access_combined source type fields. Does anyone know where they might exist? Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
10-18-2013
01:25 PM
The extractions are found in configuration files in $SPLUNK_HOME/etc/system/default/
props.conf (from where the extraction is called)
[access_combined]
REPORT-access = access-extractions
transforms.conf (where it actually happens)
[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query,
version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining c
hars)
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[acce
ss-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)
"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
Whatever you do, don't modify any file in a 'default' directory.
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
10-18-2013
01:25 PM
The extractions are found in configuration files in $SPLUNK_HOME/etc/system/default/
props.conf (from where the extraction is called)
[access_combined]
REPORT-access = access-extractions
transforms.conf (where it actually happens)
[access-extractions]
# matches access-common or access-combined apache logging formats
# Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query,
version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining c
hars)
# Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"
REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[acce
ss-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)
"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
Whatever you do, don't modify any file in a 'default' directory.
/K
Get Updates on the Splunk Community!
Bridging the Gap: Splunk Helps Students Move from Classroom to Career
The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Preparing your Splunk Environment for OpenSSL3
The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...
Unleash Unified Security and Observability with Splunk Cloud Platform
Now Available on Microsoft AzureThursday, March 27, 2025 | 11AM PST / 2PM EST | Register NowStep boldly ...
