Community:Field extractions for Squid data

From Splunk Wiki

Jump to: navigation, search

Courtesty of Rui Ataide in this forum posting:

http://www.splunk.com/support/forum:SplunkApplications/3973/13053#post


Field extractions for Squid:

props.conf

[squid]
TIME_FORMAT = %3N
MAX_TIMESTAMP_LOOKAHEAD = 15
SHOULD_LINEMERGE = false
REPORT-squid = squid

transforms.conf

[squid]
REGEX = ^\d+\.\d+\s+(\d+)\s+([0-9\.]*)\s+([^/]+)/(\d+)\s+(\d+)\s+(\w+)\s+((?:([^:]*)://)?([^/:]+):?(\d+)?/?([^ ]*))\s+(\S+)\s+([^/]+)/([^ ]+)\s+(.*)$
FORMAT = duration::$1 clientip::$2 action::$3 http_status::$4 bytes::$5 method::$6 uri::$7 proto::$8 uri_host::$9 uri_port::$10 uri_path::$11 username::$12 hierarchy::$13 server_ip::$14 content_type::$15
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk