Skip to main content
Sumo Logic

3.3 Extract source and destination from an Apache Access log

Problem

Apache web server access log messages contain two fields of particular interest--the source and the destination.

Solution

Use the parse operator to extract the source IP address and destination URL:

_sourceCategory=apache 
| parse "* " as src_IP
| parse "GET * " as url

Discussion

This example will extract the first part of each log message (up to a space) as the source IP address, then look for the GET verb and extract the requested URL. Log messages with no GET verb (POST or PUT, for example) will be ignored (dropped). 

To extract the page size, add a parse operator that looks for the 200 ("OK") status code:

_sourceCategory=apache 
| parse "* " as src_IP 
| parse " 200 * " as size 
| parse "GET * " as url