Splunk Search

how to add fields to web access log

New Member

Hi all,


This question is similar to http://answers.splunk.com/questions/10093/teaching-splunk-the-fields-in-a-custom-log-format but even more basic..

Note: Yes, RTM

The long term answer is RTM....in the meantime I'm brand new to splunk and would like to get this basic change up and running.

I've downloaded splunk, started it up, and index a vanilla apache access log. Great!


Now I want to index an access log which has a few more fields (e.g. "response time in milliseconds"), ala http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html

What are the "quick start guide" steps to add these fields.

I've scratched the surface of the admin guide and hunted through the various .conf files..but didn't find anything obvious..


Tags (2)
0 Karma


This one way to do it.

if not already exist create 2 files in $SPLUNK_HOME/etc/system/local: transforms.conf and props.conf. in transforms.conf:

REGEX = <here put the regular expression (regex) catching the full event line with the differents fields values to be extracted in bracket>
FORMAT = field1::$1 field2::$2 field3::$3

in props.conf:

REPORT-mycustomlog_fields_extraction = mycustomlog_fields_transform
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!