I'm trying to create a Splunk dashboard with the results of my squid access.log web traffic. My problem here is, I cant make any search with the results of access.log, which looks for example like this:
2020-10-17 15:41:37 86 192.168.1.41 NONE/200 0 CONNECT twitter.com:443 - HIER_DIRECT/104.244.42.193 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0" "SQUID-CS" 209 -
Do you have any suggestions on how I can regex or split the results of these results? I just wanna get the destination URL (twitter.com).
I have a squid index and a squid sourcetype... fyi.
Any tips are appreciated!
Thanks a lot!
What are the props.conf settings for the squid sourcetype? They will help us determine why you have no extracted fields. If you don't have anything in props.conf for the sourcetype, create some using access_combined (find it in $SPLUNK_HOME/etc/system/default/props.conf) as a model.
To extract just the URL using regex, try this command.
... | rex "CONNECT (?<URL>[^:]+)"