Splunk query for custom Apache access log format

We have a kludgy access log format. It certainly isn’t standard. At any rate, the out of the box transforms.conf can’t handle it. Rather than change that, I elected to split the lines on the fly; not as fast, but it’s an option. This splits the line, delimited by tab, into an array that is then filtered only on an HTTP response code of 404.

import splunklib.client as client
import splunklib.results as results

service = client.connect(host="*******",port="8089",username="*****",password="******")

rr = results.ResultsReader(service.jobs.oneshot("""
search host=\"cmhlpecomweb*\" sourcetype=access_combined | 
  fields _raw | 
  eval temp=split(_raw,\"\t\") | 
  eval response_code=mvindex(temp,7) | 
  where response_code = 404
""",
  **{"earliest_time":"2017-04-16T03:18:00.000-04:00",
     "latest_time":"2017-04-16T03:22:00.000-04:00",
     "count": 0}))

for result in rr:
  print result['_raw']

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.