Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting fields

Voltaire
Communicator
‎12-17-2012 06:06 PM

5:56:04.000 PM

Dec 17 17:56:04 as1.br0.la.somecompany.com nginx: 68.232.40.28 - - [17/Dec/2012:17:56:04 -0800] "GET /cdn/asset/view/client/partizan/package/library/id/300590/format/o/h/f0107484aa8d9bdf4eba080bc7c6a492/?7a6013aef28682d61703dff120d21b12266b54a2a637283d7d4f0c0b4aa1f551916c39f5b8b23b8e8cb43d3055c3e48ed1864a6112 HTTP/1.1" 200 13333227 "-" "QuickTime/7.6.6 (qtver=7.6.6;cpu=IA32;os=Mac 10.6.8)" request_time 3.174 upstream_time 0.071

host=as3.br0.la.somecompany.com   Options|  
sourcetype=Nginx   Options|  
source=/var/log/nginx-access.log   Options|  
index=nginx   Options

The logs are being imported through syslog-ng into one nginx log file on a forwarder.The Challenge is Splunk sees them all coming from one host. "as3.br0.la.somecompany.com" instead of the individual hosts on the first line which have similar naming contexts, just different numerical values. What si the best way to extract the correct hostfields so they appear correctly in the search results? I have tried creating field extractions, however that is not working correctly, and is only appears to be available after the data is consumed.

Thank you

Tags (1)
0 Karma
Reply

Voltaire
Communicator
‎12-26-2012 10:14 AM

Thanks Kyle, I have tried this method, however it does not produce the results I was hoping for with indexing the data. I set up a field extraction with this reg ex to remove the hostnames in a search. index=nginx sourcetype="Nginx" host="" | rex "(?i)^(?:[^ ] ){3}(?P[^ ]+)" | top 50 FIELDNAME. This appears to work however I would like to extract the correct fields before the data is indexed ?

0 Karma
Reply

kylexhourihan
Engager
‎12-17-2012 08:27 PM

Hey Voltaire,

I'm a bit of a splunk Noob, but I've used NG for other Log Management systems. Have you looked into spoofing the source of the original sender? Its a feature called IP spoofing, where the NG server forwards the logs on via Syslog [NG/TCP] using the original SRC IP of the originating server.

So references here:

https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html

http://www.balabit.com/network-security/syslog-ng/comparing/detailed

This way, Splunk will see the originating server using the original IP address of the source, not the forwarder.

Hope this helps!

Kyle

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top