Re: How can I add two new fields to my logs?

romgo75 · ‎08-28-2017

Hello,

On my servers I used combined Apache logs, but I added two other fields at the end of the logs : SSL_PROTOCOL and X-Forwarded-For

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{X-Forwarded-For}i" combined

The logs look like this :

192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2

or
192.168.1.1 - - [28/Aug/2017:22:27:26 +0200] "GET /production/file HTTP/1.1" 200 601 "-" "Ruby" TLSv1.2 192.168.2.1 192.168.6.2

With default access_combined sourcetype the PROTOCOL and X-Forwarded are located in other fields. But I would like to add two new fields for that like TLS_version and xforwarded.

Any idea on how to do this ?

regards

romgo75 · ‎11-16-2017

I will answer to my own question :

just with using extractor field with regexp I was able to create those two new fields.

niketn · ‎11-16-2017

@romgo75, please go ahead and accept your own answer to mark this question as answered. For reference, following is the link to Splunk Docs for Interactive Field Extraction in Splunk.

https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How can I add two new fields to my logs?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How can I add two new fields to my logs?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem