I am using Splunk version 6.1.3 and Squid App 0.2v.
My props.conf contain:
[squid]
TIME_FORMAT = %s.%3N
MAX_TIMESTAMP_LOOKAHEAD = 15
KV_MODE = none
SHOULD_LINEMERGE = false
REPORT-squid = squid
My transforms.conf contain:
[squid]
REGEX = ^\d+\.\d+\s+(\d+)\s+([0-9\.]*)\s+([^/]+)/(\d+)\s+(\d+)\s+(\w+)\s+((?:([^:]*)://)?([^/:]+):?(\d+)?(/?[^ ]*))\s+(\S+)\s+([^/]+)/([^ ]+)\s+(.*)$
FORMAT = duration::$1 clientip::$2 action::$3 http_status::$4 bytes::$5 method::$6 uri::$7 proto::$8 uri_host::$9 uri_port::$10 uri_path::$11 username::$12 hierarchy::$13 server_ip::$14 content_type::$15
I am receiving squid logs at UDP 514. Sourcetype is manually set to "squid" (I just wrote squid in the field)
When I try search sourcetype="squid", things goes fine and I have results, but if I put command sourcetype="squid" action="*" , I do not have any results.
When I run squid app, there are no results too. Job inspector shows me this information:
This search has completed, but did not match any events. The terms specified in the highlighted portion of the search and this part is highlighted:
search sourcetype="squid" action="*" | eval reqcount=1
and
The following messages were returned by the search subsystem:
DEBUG: base lispy: [ AND sourcetype::squid ]
DEBUG: search context: user="admin", app="SplunkforSquid", bs-pathname="/opt/splunk/etc"
As a test, I tried to change sourcetype to "syslog" and run search
"*search sourcetype="syslog" action="**"
.. and It gave me results, but when I tried to put search like:
*search sourcetype="syslog" clientip="*" uri_host="*" uri_path="*"*
.. I didn`t get any results. There are no clientip, uri_host or uri_path fields extracted, or even indexed.
Can you help me with this problem?
... View more
