Splunk Search

How can I add two new fields to my logs?

New Member


On my servers I used combined Apache logs, but I added two other fields at the end of the logs : SSL_PROTOCOL and X-Forwarded-For

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{X-Forwarded-For}i" combined

The logs look like this : - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2

or - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2

With default access_combined sourcetype the PROTOCOL and X-Forwarded are located in other fields. But I would like to add two new fields for that like TLS_version and xforwarded.

Any idea on how to do this ?


0 Karma

New Member

I will answer to my own question :

just with using extractor field with regexp I was able to create those two new fields.

0 Karma


@romgo75, please go ahead and accept your own answer to mark this question as answered. For reference, following is the link to Splunk Docs for Interactive Field Extraction in Splunk.


| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...