Solved: cannot find sourcetype squid

njathan · ‎07-28-2010

I am trying to analyse a squid access log for top 10 reports (top sources, top destinations, etc.)

I imported the log file in Manager » Data inputs » Files & Directories » Add New

When i keep the sourcetype=automatic, it does not seem to identify the source destination etc fields... just bundles them into one huge field, which is useless.

Elsewhere in this forum, i found someone's using sourcetype=squid_access. Where is this available for the latest version (4.1.4)? If not this, what is the best way of analysing squid logs in splunk?

rroberts · ‎07-28-2010

When you set sourcetype to manual you should be able to type squid_access in the box below.

View solution in original post

rroberts · ‎07-28-2010

When you set sourcetype to manual you should be able to type squid_access in the box below.

njathan · ‎07-30-2010

thanks rroberts 🙂

rroberts · ‎07-28-2010

I see what you mean now have you seen this doc? http://www.splunk.com/wiki/Community:Field_extractions_for_Squid_data
There is a props.conf and transforms.conf example for squid field extraction that might be helpful.

njathan · ‎07-28-2010

actually manually typing access_squid does not help in that fields like TCP_MISS/200, CONNECT, http://mail.google.com etc in the log dont get classified into separate fields. Tried the 'extract fields' options, but i am poor at regex, and would be helpful if there is a ready plugin that lets splunk categorize the fields accordingly. (Which is not happening right now.)

njathan · ‎07-28-2010

the 'drop-down' list appears when i choose the 'From list' option in the 'Set sourcetype' section... Manual sourcetype does not give any listing...

cannot find sourcetype squid

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?