Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search-time field extraction - Apache access_combined + additional field

johntopley
Explorer
‎05-10-2014 08:19 AM

I have a custom log format that is Apache's access_combined format with a custom field representing an app's version number at the end. The fields are space separated. How can I configure Splunk to do automatic search-time field extraction of the standard access_combined set of fields and this extra field?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-10-2014 10:41 AM

You have two choices:

  1. Assign the source type of access_combined and in props.conf, add a field for the version number. (An example of the field extraction is below.) This should work even if you have other logs that are the "standard" access_combined format, since the field won't be extracted where it doesn't exist.
  2. Find the definition of access_combined in the default props.conf and copy it to your own props.conf, giving the stanza a different name. Then add the app version field.

Here is the field extraction for the the new field, which I call app_version (because the Apache logs already have a field named version which is the Apache version).

EXTRACT-e1 = \s(?<app_version>\S+)\s*$

This field will contain the last non-blank character string on the line.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-10-2014 10:41 AM

You have two choices:

  1. Assign the source type of access_combined and in props.conf, add a field for the version number. (An example of the field extraction is below.) This should work even if you have other logs that are the "standard" access_combined format, since the field won't be extracted where it doesn't exist.
  2. Find the definition of access_combined in the default props.conf and copy it to your own props.conf, giving the stanza a different name. Then add the app version field.

Here is the field extraction for the the new field, which I call app_version (because the Apache logs already have a field named version which is the Apache version).

EXTRACT-e1 = \s(?<app_version>\S+)\s*$

This field will contain the last non-blank character string on the line.

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...