Granted I am new to splunk, and while I am utilizing the tutorials and help, it seems that I can not get something as simple as a error by IP report to work.
I have loaded data into splunk, and I can search the data and find what I want - quite simply, errors as reported in an Apache error log. What I want to do is show a count of errors by source IP address. For example the line in the log reads like this ( where xx is the source IP address ) : [Fri Aug 22 16:59:01 2013] [error] [client xx.xx.xx.xx] File does not exist: /home/file.jpg
It seems I can't index by the source IP , so I attempted to to create a regex to extract that value. I was able to do so using the interactive field extractor. It was able to generate a regex pattern, which appeared to work properly.
Unfortunately , when I click on the TEST button , a window pops up for a few moments with some information on testing the regex, however it disappears after a few seconds before I can read it. I can see the buttons " cancel " and " test " , but again the window closes before I can click on either.
The same happens when I try to save the generated regex. I click on the "save" button and a window pops up requesting a field name, but again it closes before any information can be given.
This is an incredibly simple thing to do : Show me a count of errors, by source IP address. Can anyone please direct me to where I am making a mistake?