Splunk Search

Extracting fields

Communicator

5:56:04.000 PM

Dec 17 17:56:04 as1.br0.la.somecompany.com nginx: 68.232.40.28 - - [17/Dec/2012:17:56:04 -0800] "GET /cdn/asset/view/client/partizan/package/library/id/300590/format/o/h/f0107484aa8d9bdf4eba080bc7c6a492/?7a6013aef28682d61703dff120d21b12266b54a2a637283d7d4f0c0b4aa1f551916c39f5b8b23b8e8cb43d3055c3e48ed1864a6112 HTTP/1.1" 200 13333227 "-" "QuickTime/7.6.6 (qtver=7.6.6;cpu=IA32;os=Mac 10.6.8)" request_time 3.174 upstream_time 0.071

host=as3.br0.la.somecompany.com   Options|  
sourcetype=Nginx   Options|  
source=/var/log/nginx-access.log   Options|  
index=nginx   Options

The logs are being imported through syslog-ng into one nginx log file on a forwarder.The Challenge is Splunk sees them all coming from one host. "as3.br0.la.somecompany.com" instead of the individual hosts on the first line which have similar naming contexts, just different numerical values. What si the best way to extract the correct hostfields so they appear correctly in the search results? I have tried creating field extractions, however that is not working correctly, and is only appears to be available after the data is consumed.

Thank you

Tags (1)
0 Karma

Communicator

Thanks Kyle, I have tried this method, however it does not produce the results I was hoping for with indexing the data. I set up a field extraction with this reg ex to remove the hostnames in a search. index=nginx sourcetype="Nginx" host="" | rex "(?i)^(?:[^ ] ){3}(?P[^ ]+)" | top 50 FIELDNAME. This appears to work however I would like to extract the correct fields before the data is indexed ?

0 Karma

Hey Voltaire,

I'm a bit of a splunk Noob, but I've used NG for other Log Management systems. Have you looked into spoofing the source of the original sender? Its a feature called IP spoofing, where the NG server forwards the logs on via Syslog [NG/TCP] using the original SRC IP of the originating server.

So references here:

https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html

http://www.balabit.com/network-security/syslog-ng/comparing/detailed

This way, Splunk will see the originating server using the original IP address of the source, not the forwarder.

Hope this helps!

Kyle

0 Karma