apache virtual hosts - custom field?

jgauthier · ‎11-19-2013

I have several virtual hosts per Apache server, and I want to be able to report on them individually. I envision that I need to add a custom field, somehow, to each input for the indexer?

How could I achieve this? I would prefer all of this happen on the universalforwarder.

Thanks!

bchoi_splunk · ‎11-19-2013

how about adding a field? you can add the following to your search:

| rex field=host /log/var/(?.*)/

you can also add it to your field extractor. Would this work?

jgauthier · ‎11-19-2013

Oh yeah, that makes a ton of sense! I'll see what I can do with that. Thanks!

bchoi_splunk · ‎11-19-2013

how is your log configured right now?

CustomLog ${APACHE_LOG_DIR}/myvirtualhost/access.log

For example, if logs from a virtual host are organized under ${APACHE_LOG_DIR}/myvirtualhost, you can add the following line to your input.conf

[monitor:///var/log/apache/myvirtualhost]
host_segment = 4

That way, "myvirtualhost" will be the host name for all log files that live under myvirtualhost.

Sorry If i misunderstood your question.

jgauthier · ‎11-19-2013

That could work, but I actually want to retain the host information as the server it comes from. It could be multiple servers.

apache virtual hosts - custom field?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!