Splunk Search

Are there field extractions available for IPlanet web access logs?

ndoshi
Splunk Employee
Splunk Employee

Here's the fields followed by a description:

Hostname or IP address of client

arrow.a.com. (In this case, the hostname is shown because the web server's setting for DNS lookups is enabled; if DNS lookups were disabled, the client's IP address would appear.

RFC 931 information

  • (RFC 931 identity not implemented)

Username

john (username entered by the client for authentication)

Date/time of request

29/Mar/1999:4:36:53 -0800

Request

GET /help

Protocol

HTTP/1.0

Status code

401

Bytes transferred

571

Tags (1)
0 Karma

kvaga
Explorer

Hello! I have more than five implementations of iplanet log files format string. Because a format of any web access log depends on the administrator who manages server.
Give me a few rows of your own log file and I'll give you exact string of field extraction

0 Karma

scruse
Path Finder

@kvaga i have a similar issue, how can i provide you with a sanitized sample so i dont repeat work already completed on this tech

0 Karma

ndoshi
Splunk Employee
Splunk Employee

Try these in props.conf

[iplanet]
EXTRACT-myfields=^(?.?[^\s])\s-\s(?.?[^\s])\s[(?.?)]\s\"(?\w+)\s(?.?[^\s])\s(?.*?)"\s(?\d+)\s(?\d+)\s(?\d+)

ndoshi
Splunk Employee
Splunk Employee

BTW, the other field is probably not needed. It's there in case you have some integer at the end of the event that is unaccounted for.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...