Dear Experties,
I am working on onboarding the apache weblogs and mapping the data in to access combined sourcetype to parse the data and files extraction as per the transform file.
The webeserver is behind a loadbalancer to forward the request. Now the client IP is showing as my load balancer and public IP is not extracted using the access combined transform file.
But the log format we have in web server is LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Is there any specific log format for webserver which is behind load balancer so that splunk can parse the log as expected.
There is a different in logformat with out of the box regular expression.
The sample log we are getting is
87.109.30.200, xx.xx.xx.xx - - [01/Jan/2015:00:06:00 +0300] "GET /wps/contenthandler/rbg/!ut/p/digest!2jrll8SkahQpQlUhFJmocw/sp/mashup:ra:collection?soffset=0&eoffset=6&themeID=ZJ_JA28HB02IG0R20IVDOA2AO20G4&locale=ar&locale=en&mime-type=text%2Fcss&entry=wp_one_ui_30__0.0%3Ahead_css&entry=wp_one_ui_dijit_30__0.0%3Ahead_css&entry=wp_legacy_layouts__0.0%3Ahead_css&entry=wp_theme_portal_80__0.0%3Ahead_css&entry=wp_status_bar__0.0%3Ahead_css&entry=wp_portlet_css__0.0%3Ahead_css HTTP/1.1" 200 207302 "https://www.xxx.xxx.com.in/wps/portal/rbg/login" "Mozilla/5.0 (Linux; U; Android 4.1.1; ar-ae; GT-N7100 Build/JRO03C) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
Any suggestion on making the change in regex than doing the field extraction.
Thanks,
Sunil Suresh
... View more