Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Are there field extractions available for IPlanet web access logs?

ndoshi
Splunk Employee
Splunk Employee
‎03-11-2013 12:54 PM

Here's the fields followed by a description:

Hostname or IP address of client

arrow.a.com. (In this case, the hostname is shown because the web server's setting for DNS lookups is enabled; if DNS lookups were disabled, the client's IP address would appear.

RFC 931 information

  • (RFC 931 identity not implemented)

Username

john (username entered by the client for authentication)

Date/time of request

29/Mar/1999:4:36:53 -0800

Request

GET /help

Protocol

HTTP/1.0

Status code

401

Bytes transferred

571

Tags (1)
0 Karma
Reply

kvaga
Explorer
‎06-10-2018 09:53 AM

Hello! I have more than five implementations of iplanet log files format string. Because a format of any web access log depends on the administrator who manages server.
Give me a few rows of your own log file and I'll give you exact string of field extraction

0 Karma
Reply

scruse
Path Finder
‎12-18-2018 07:32 AM

@kvaga i have a similar issue, how can i provide you with a sanitized sample so i dont repeat work already completed on this tech

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎03-11-2013 12:55 PM

Try these in props.conf

[iplanet]
EXTRACT-myfields=^(?.?[^\s])\s-\s(?.?[^\s])\s[(?.?)]\s\"(?\w+)\s(?.?[^\s])\s(?.*?)"\s(?\d+)\s(?\d+)\s(?\d+)

Reply

ndoshi
Splunk Employee
Splunk Employee
‎03-11-2013 01:18 PM

BTW, the other field is probably not needed. It's there in case you have some integer at the end of the event that is unaccounted for.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...