Splunk Search

Search-time field extraction - Apache access_combined + additional field


I have a custom log format that is Apache's access_combined format with a custom field representing an app's version number at the end. The fields are space separated. How can I configure Splunk to do automatic search-time field extraction of the standard access_combined set of fields and this extra field?

0 Karma

Re: Search-time field extraction - Apache access_combined + additional field


You have two choices:

  1. Assign the source type of access_combined and in props.conf, add a field for the version number. (An example of the field extraction is below.) This should work even if you have other logs that are the "standard" access_combined format, since the field won't be extracted where it doesn't exist.
  2. Find the definition of access_combined in the default props.conf and copy it to your own props.conf, giving the stanza a different name. Then add the app version field.

Here is the field extraction for the the new field, which I call app_version (because the Apache logs already have a field named version which is the Apache version).

EXTRACT-e1 = \s(?<app_version>\S+)\s*$

This field will contain the last non-blank character string on the line.

View solution in original post