Hello,
On my servers I used combined Apache logs, but I added two other fields at the end of the logs : SSL_PROTOCOL and X-Forwarded-For
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{X-Forwarded-For}i" combined
The logs look like this :
192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2
or
192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2 192.168.2.1 192.168.6.2
With default access_combined sourcetype the PROTOCOL and X-Forwarded are located in other fields. But I would like to add two new fields for that like TLS_version and xforwarded.
Any idea on how to do this ?
regards
I will answer to my own question :
just with using extractor field with regexp I was able to create those two new fields.
@romgo75, please go ahead and accept your own answer to mark this question as answered. For reference, following is the link to Splunk Docs for Interactive Field Extraction in Splunk.
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX