We just installed Splunk this week (YAY!) and are trying to get our Apache logs digesting to start building dashboards. Our web store uses a modified Apache Access log format that looks like this in our www.conf:
I know that none of the extractions provided by access_combined or apache:access (Apache Addon) seem to work because they're looking for the default format, but I'm a little confused on how to help them recognize our format. I see the extractions listed, but they don't look like regular regexes that I've seen. How would I go about changing them to match our formatting?
This matches with your pattern to a certain degree, but NOT all.
(eg src matches to %h ; Unless you put the actual log, we can't be sure which all matches)
So you might need to amend this "EXTRACT-apache_access" in your "local" directory of the app (or your own app) with the www.conf