- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Cisco eStreamer eNcore Add-on for Splunk does ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco eStreamer eNcore Add-on for Splunk does not properly parse the field URL
My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk
does not extract it properly
example:
.... url=https:/// ......
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified cisco:estreamer:data : FIELDALIAS-estreamer_url and added url=url.
It only had uri=url. I don't know why url didn't automatically extract but now |table url works.
Splunk 8.x TA-eStreamer 4.6.0
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
I too face the same issue where only uri field is being parsed not url.
How can I append in props.conf ? I have the below settings :
FIELDALIAS-estreamer_url = uri as url
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes , if you are using cisco:sourcefire sourcetype as part of https://splunkbase.splunk.com/app/1808/ which has CIM complaince for field extractions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In our instance, I can see url=https://outlook.office.365.com and don't see any issues with that? If you don't want https://, you can use rex to remove them right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey lakshman239
i cant see the field url at all, and i don't have any custom props or transform to parse it
and yes i can use a rex to remove the value "https", but that's not what i want
what i want to see is the field url extracted from the logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have Splunk_TA_sourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app
[cisco:estreamer:data]
rename = cisco:sourcefire
https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey lakshman239
i have this add-on: "https://splunkbase.splunk.com/app/3662/"
runing in it's latest version: 3.5.4
and do i have to use this config?
[cisco:estreamer:data]
rename = cisco:sourcefire
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
