Splunk Search

Why is apache logs relevant field name not showing in details log?

Jaycybersec
Explorer

Hello ,

I have installed forwarder on Linux system and able to see logs in searches but the when i open a detailed log the field & value is missing for the relevant part of raw log.

Jaycybersec_1-1647022736429.png

All the useful details are missing in field.

Ip address, status code, bytes, user agent name, method used etc.. are missing.

can anyone guide here how to see those relevant things inside events.

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Great!  If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you installed an app to process the events for you?  Splunk Add-on for Apache Web Server (https://splunkbase.splunk.com/app/3186/) looks like a good candidate.  

---
If this reply helps you, Karma would be appreciated.

Jaycybersec
Explorer

Hi,

 

Thanks for your response.

Have installed the app and restarted the service but still unable to see those relevant fields.

Jaycybersec_0-1647029412755.png

Jaycybersec_1-1647029439147.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The issue seems to stem, at least in part, from the sourcetype "access-too_small".  It's unlikely any add-on uses that sourcetype so none will extract any fields for it.

The "-too_small" issue usually arises when the input does not specify a sourcetype and there's not enough data for Splunk to analyze and make a guess about the sourcetype.  Make sure the inputs.conf file with the [monitor:///var/log/apache2/access.log] stanza has a sourcetype setting,

---
If this reply helps you, Karma would be appreciated.

Jaycybersec
Explorer

Hi,

i have done the suggested steps and it's working fine and showing the relevant field.

Thanks .

 

Jaycybersec_0-1647066066085.pngJaycybersec_1-1647066077530.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Great!  If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...