All Apps and Add-ons

Cisco eStreamer eNcore Add-on for Splunk does not properly parse the field URL

michaelelizarov
New Member

My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk

does not extract it properly

example:
.... url=https:/// ......

0 Karma

acaruso
Explorer

I modified cisco:estreamer:data : FIELDALIAS-estreamer_url and added url=url.

It only had uri=url.  I don't know why url didn't automatically extract but now |table url works.

Splunk 8.x TA-eStreamer 4.6.0

Hope that helps.

0 Karma

sampathv
New Member

Hello ,

I too face the same issue where only uri field is being parsed not url.

How can I append in props.conf ? I have the below settings :

FIELDALIAS-estreamer_url = uri as url

 

 

Thanks.

0 Karma

lakshman239
Influencer

Yes , if you are using cisco:sourcefire sourcetype as part of https://splunkbase.splunk.com/app/1808/ which has CIM complaince for field extractions

0 Karma

lakshman239
Influencer

In our instance, I can see url=https://outlook.office.365.com and don't see any issues with that? If you don't want https://, you can use rex to remove them right?

0 Karma

michaelelizarov
New Member

Hey lakshman239

i cant see the field url at all, and i don't have any custom props or transform to parse it
and yes i can use a rex to remove the value "https", but that's not what i want
what i want to see is the field url extracted from the logs

0 Karma

lakshman239
Influencer

which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have Splunk_TA_sourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app
[cisco:estreamer:data]
rename = cisco:sourcefire

https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes

0 Karma

michaelelizarov
New Member

Hey lakshman239

i have this add-on: "https://splunkbase.splunk.com/app/3662/"
runing in it's latest version: 3.5.4

and do i have to use this config?
[cisco:estreamer:data]
rename = cisco:sourcefire

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...