All Apps and Add-ons

Splunk Add-on for Apache Web Server: Too restrictive?

sloshburch
Ultra Champion

I'm playing with the Splunk Add-on for Apache Web Server but it looks to be restrictive on the log format as per: http://docs.splunk.com/Documentation/AddOns/released/ApacheWebServer/Configure
But is there a way to use this without changing the log format since many organizations have a restriction on changing their log format.
I'd love to use this TA so I can make my access_combined CIM-compliant but looks like I'm losing a lot of fields since I can't change the httpd.conf log format.
Maybe I'm missing something simple here?

0 Karma

jdonn_splunk
Splunk Employee
Splunk Employee

If you cannot change the format of the file, change the field extractions to fit your data. You can do this in props.conf & transforms.conf or use the field extraction utility in the GUI.

However, if you are missing some of the fields used to drive dashboard panels, you may have to update some of the searches to pretty up the dashboards.

0 Karma

sloshburch
Ultra Champion

Blerg. I love how the access_combined sourcetype that comes with splunk already extracts all the fields. I'm looking for a solution where that is extended to be CIM-compliant. I don't want to reinvent the wheel by recreating the field extractions etc that the access_combined pulls out so nicely.

0 Karma

gfuente
Motivator

This sounds like a good candidate to fill a "Enhacement Request" through Splunk support

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.