I'm playing with the Splunk Add-on for Apache Web Server but it looks to be restrictive on the log format as per: http://docs.splunk.com/Documentation/AddOns/released/ApacheWebServer/Configure
But is there a way to use this without changing the log format since many organizations have a restriction on changing their log format.
I'd love to use this TA so I can make my access_combined CIM-compliant but looks like I'm losing a lot of fields since I can't change the httpd.conf log format.
Maybe I'm missing something simple here?
Blerg. I love how the access_combined sourcetype that comes with splunk already extracts all the fields. I'm looking for a solution where that is extended to be CIM-compliant. I don't want to reinvent the wheel by recreating the field extractions etc that the access_combined pulls out so nicely.