Dear splunkers, I need to ingest some apaches log files. Those log files are first sent to a syslog server by rsyslog rsyslog adds to each line of the log file its owns information. A UF is installed on this syslog server and can monitor the log file and send them to the indexers Each line of the log file looks like this : 2024-02-16T00:00:00.129824+01:00 website-webserver /var/log/apache2/website/access.log 10.0.0.1 - - [16/Feb/2024:00:00:00 +0100] "GET /" 200 10701 "-" "-" 228 As you can see, the first part of the log, until "/access.log " had been added by rsyslog, so this is something I want Splunk to filter out / delete. So far, I'm able to monitor the file and filter out the rsyslog layer of the events with a parameter, and I added TIME_PREFIX parameter, then Splunk automatically detects the timestamp. Like this : SEDCMD-1=s/^.*\.log //g
TIME_PREFIX=- - \[ I created a custom sourcetype accordingly. But the issue is that, the field extraction is not working properly. Almost no field beside the _time related fileds is being extracted. I guess it's because I'm using a custom sourcetype, so Splunk is not extracting the fields automaticaly as it should; But I'm not really sure... I'm a bit lost 😞 Thanks a lot for your kind help 🙂
... View more