Splunk Search

how to add fields to web access log

New Member

Hi all,

Similar

This question is similar to http://answers.splunk.com/questions/10093/teaching-splunk-the-fields-in-a-custom-log-format but even more basic..

Note: Yes, RTM

The long term answer is RTM....in the meantime I'm brand new to splunk and would like to get this basic change up and running.

I've downloaded splunk, started it up, and index a vanilla apache access log. Great!

Requirement

Now I want to index an access log which has a few more fields (e.g. "response time in milliseconds"), ala http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html

What are the "quick start guide" steps to add these fields.

I've scratched the surface of the admin guide and hunted through the various .conf files..but didn't find anything obvious..

thanks

Tags (2)
0 Karma

Motivator

This one way to do it.

if not already exist create 2 files in $SPLUNK_HOME/etc/system/local: transforms.conf and props.conf. in transforms.conf:

[mycustomlog_fields_transform]
REGEX = <here put the regular expression (regex) catching the full event line with the differents fields values to be extracted in bracket>
FORMAT = field1::$1 field2::$2 field3::$3

in props.conf:

[mysourcetype]
REPORT-mycustomlog_fields_extraction = mycustomlog_fields_transform
0 Karma