splunk 4.1.4 not transforming an apache access log

Question

I have a Splunk 4.1.4 install which is indexing some apache access logs. Unfortunately, when I try to produce reports on the logs, it doesn't seem to have done the fields transform so all the url, useragent, etc fields are missing.

The weird thing is, in the fields column on the left hand side of the search view, it says "All 68 fields" but if I click that to add more fields, the dialog box that appears says "Available fields (24)".

The initial query I did was;

host="gromit" sourcetype="access_combined"

The entry for the field transform seems to be there in /opt/splunk/etc/system/default;

REGEX = ^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]

Am I doing something wrong?

Answer 1

I'm seeing a similar issue on some of my logs. I have things set to auto detect in a directory watch and I come up with 2 types:

access-too_small:

10.253.1.1 - - [14/Mar/2011:09:33:22 -0400] default - "GET / HTTP/1.0" 200 5127 "-" "-"

access-6:

192.168.1.1 - - [14/Mar/2011:09:36:02 -0400] pub.mydomain.com url.someotherdomain.com "POST /path/to/java HTTP/1.1" 200 318 "-" "Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_24"

splunk 4.1.4 not transforming an apache access log

Follow this question

Splunk Resources

Related questions