All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for Apache Web Server: Too restrictive?

sloshburch
Ultra Champion
‎08-26-2016 12:10 PM

I'm playing with the Splunk Add-on for Apache Web Server but it looks to be restrictive on the log format as per: http://docs.splunk.com/Documentation/AddOns/released/ApacheWebServer/Configure
But is there a way to use this without changing the log format since many organizations have a restriction on changing their log format.
I'd love to use this TA so I can make my access_combined CIM-compliant but looks like I'm losing a lot of fields since I can't change the httpd.conf log format.
Maybe I'm missing something simple here?

0 Karma
Reply

jdonn_splunk
Splunk Employee
Splunk Employee
‎08-26-2016 12:16 PM

If you cannot change the format of the file, change the field extractions to fit your data. You can do this in props.conf & transforms.conf or use the field extraction utility in the GUI.

However, if you are missing some of the fields used to drive dashboard panels, you may have to update some of the searches to pretty up the dashboards.

0 Karma
Reply

sloshburch
Ultra Champion
‎08-29-2016 07:12 AM

Blerg. I love how the access_combined sourcetype that comes with splunk already extracts all the fields. I'm looking for a solution where that is extended to be CIM-compliant. I don't want to reinvent the wheel by recreating the field extractions etc that the access_combined pulls out so nicely.

0 Karma
Reply

gfuente
Motivator
‎08-29-2016 07:56 AM

This sounds like a good candidate to fill a "Enhacement Request" through Splunk support

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...