https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454162#M55853 <P>Hey lakshman239</P> <P>i cant see the field url at all, and i don't have any custom props or transform to parse it<BR /> and yes i can use a rex to remove the value "https", but that's not what i want<BR /> what i want to see is the field url extracted from the logs</P> Tue, 12 Feb 2019 08:14:11 GMT michaelelizarov 2019-02-12T08:14:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454160#M55851 <P>My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk</P> <P>does not extract it properly</P> <P>example:<BR /> .... url=https:/// ......</P> Wed, 06 Feb 2019 06:40:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454160#M55851 michaelelizarov 2019-02-06T06:40:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454161#M55852 <P>In our instance, I can see url=<A href="https://outlook.office.365.com">https://outlook.office.365.com</A> and don't see any issues with that? If you don't want <A href="https://," target="test_blank">https://,</A> you can use rex to remove them right?</P> Wed, 06 Feb 2019 12:37:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454161#M55852 lakshman239 2019-02-06T12:37:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454162#M55853 <P>Hey lakshman239</P> <P>i cant see the field url at all, and i don't have any custom props or transform to parse it<BR /> and yes i can use a rex to remove the value "https", but that's not what i want<BR /> what i want to see is the field url extracted from the logs</P> Tue, 12 Feb 2019 08:14:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454162#M55853 michaelelizarov 2019-02-12T08:14:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454163#M55854 <P>which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have Splunk_TA_sourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app<BR /> [cisco:estreamer:data]<BR /> rename = cisco:sourcefire</P> <P><A href="https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes" target="_blank">https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes</A></P> Tue, 29 Sep 2020 23:15:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454163#M55854 lakshman239 2020-09-29T23:15:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454164#M55855 <P>Hey lakshman239</P> <P>i have this add-on: "<A href="https://splunkbase.splunk.com/app/3662/">https://splunkbase.splunk.com/app/3662/</A>"<BR /> runing in it's latest version: 3.5.4</P> <P>and do i have to use this config?<BR /> [cisco:estreamer:data]<BR /> rename = cisco:sourcefire</P> Sun, 17 Feb 2019 06:33:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454164#M55855 michaelelizarov 2019-02-17T06:33:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454165#M55856 <P>Yes , if you are using cisco:sourcefire sourcetype as part of <A href="https://splunkbase.splunk.com/app/1808/">https://splunkbase.splunk.com/app/1808/</A> which has CIM complaince for field extractions</P> Wed, 27 Feb 2019 22:40:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/454165#M55856 lakshman239 2019-02-27T22:40:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/553415#M65747 <P>I modified cisco:estreamer:data : FIELDALIAS-estreamer_url and added url=url.</P><P>It only had uri=url.&nbsp; I don't know why url didn't automatically extract but now |table url works.</P><P>Splunk 8.x TA-eStreamer 4.6.0</P><P>Hope that helps.</P> Thu, 27 May 2021 21:47:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/553415#M65747 acaruso 2021-05-27T21:47:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/555069#M65851 <P>Hello ,</P><P>I too face the same issue where only uri field is being parsed not url.</P><P>How can I append in props.conf ? I have the below settings :</P><P><SPAN>FIELDALIAS-estreamer_url = uri as url</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks.</P> Wed, 09 Jun 2021 12:06:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-Add-on-for-Splunk-does-not-properly-parse/m-p/555069#M65851 sampathv 2021-06-09T12:06:03Z