Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extracting fields

Voltaire
Communicator
‎12-17-2012 06:06 PM

5:56:04.000 PM

Dec 17 17:56:04 as1.br0.la.somecompany.com nginx: 68.232.40.28 - - [17/Dec/2012:17:56:04 -0800] "GET /cdn/asset/view/client/partizan/package/library/id/300590/format/o/h/f0107484aa8d9bdf4eba080bc7c6a492/?7a6013aef28682d61703dff120d21b12266b54a2a637283d7d4f0c0b4aa1f551916c39f5b8b23b8e8cb43d3055c3e48ed1864a6112 HTTP/1.1" 200 13333227 "-" "QuickTime/7.6.6 (qtver=7.6.6;cpu=IA32;os=Mac 10.6.8)" request_time 3.174 upstream_time 0.071

host=as3.br0.la.somecompany.com   Options|  
sourcetype=Nginx   Options|  
source=/var/log/nginx-access.log   Options|  
index=nginx   Options

The logs are being imported through syslog-ng into one nginx log file on a forwarder.The Challenge is Splunk sees them all coming from one host. "as3.br0.la.somecompany.com" instead of the individual hosts on the first line which have similar naming contexts, just different numerical values. What si the best way to extract the correct hostfields so they appear correctly in the search results? I have tried creating field extractions, however that is not working correctly, and is only appears to be available after the data is consumed.

Thank you

Tags (1)
0 Karma
Reply

Voltaire
Communicator
‎12-26-2012 10:14 AM

Thanks Kyle, I have tried this method, however it does not produce the results I was hoping for with indexing the data. I set up a field extraction with this reg ex to remove the hostnames in a search. index=nginx sourcetype="Nginx" host="" | rex "(?i)^(?:[^ ] ){3}(?P[^ ]+)" | top 50 FIELDNAME. This appears to work however I would like to extract the correct fields before the data is indexed ?

0 Karma
Reply

kylexhourihan
Engager
‎12-17-2012 08:27 PM

Hey Voltaire,

I'm a bit of a splunk Noob, but I've used NG for other Log Management systems. Have you looked into spoofing the source of the original sender? Its a feature called IP spoofing, where the NG server forwards the logs on via Syslog [NG/TCP] using the original SRC IP of the originating server.

So references here:

https://lists.balabit.hu/pipermail/syslog-ng/2004-November/006695.html

http://www.balabit.com/network-security/syslog-ng/comparing/detailed

This way, Splunk will see the originating server using the original IP address of the source, not the forwarder.

Hope this helps!

Kyle

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...