SHARE
TWEET

Splunk Issues

a guest May 23rd, 2013 9 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Hello,
  2. We are attempting to resolve problem where data hasn't been assigned the correct source type.
  3. We have attempted to resolve this by performing search time field extractions but nothing seems to work.
  4.  
  5. The sourcetype has been identified as: www_website_com_au_access_log-2
  6. The source is: /var/log/httpd/www_website_com_au_access_log
  7.  
  8. In props.conf I have tried:
  9.  
  10. [source::/var/log/httpd/www_website_com_au_access_log]  
  11. rename=access-common
  12.  
  13. I have tried:
  14. [source::/var/log/httpd/www_website_com_au_access_log]  
  15. sourcetype=access-common
  16.  
  17. I have tried:
  18. [source::/var/log/httpd/www_website_com_au_access_log]  
  19. TRANSFORMS-fix_ae = fix_access_extractions
  20.  
  21. With the complementing transforms.conf
  22.  
  23. [fix_access_extractions]
  24. matches access-common or access-combined apache logging formats  
  25. Extracts: clientip, clientport, ident, user, req_time, method, uri, root, file, uri_domain, uri_query, version, status, bytes, referer_url, referer_domain, referer_proto, useragent, cookie, other (remaining chars)    
  26. Note: referer is misspelled in purpose because that is the "official" spelling for "HTTP referer"  
  27. REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]
  28. FORMAT = sourcetype::access_common
  29. DEST_KEY = MetaData:Sourcetype
  30.  
  31. Yet when I do a search on source=/var/log/httpd/www_website_com_au_access_log
  32.  
  33. The fields are still useless and no useful fields are returned.
  34.  
  35. Thanks in advance
  36. Cam
  37.  
  38.  
  39. SAMPLE DATA:
  40.  
  41. 192.168.x.x (192.168.x.x) www.website.com - - [23/May/2013:17:05:44 +8000] "GET /images/external/website_logo.png HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2; MSOffice 12)" 21832  TLSv1 AES128-SHA
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top