My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk
does not extract it properly
example:
.... url=https:/// ......
I modified cisco:estreamer:data : FIELDALIAS-estreamer_url and added url=url.
It only had uri=url. I don't know why url didn't automatically extract but now |table url works.
Splunk 8.x TA-eStreamer 4.6.0
Hope that helps.
Hello ,
I too face the same issue where only uri field is being parsed not url.
How can I append in props.conf ? I have the below settings :
FIELDALIAS-estreamer_url = uri as url
Thanks.
Yes , if you are using cisco:sourcefire sourcetype as part of https://splunkbase.splunk.com/app/1808/ which has CIM complaince for field extractions
In our instance, I can see url=https://outlook.office.365.com and don't see any issues with that? If you don't want https://, you can use rex to remove them right?
Hey lakshman239
i cant see the field url at all, and i don't have any custom props or transform to parse it
and yes i can use a rex to remove the value "https", but that's not what i want
what i want to see is the field url extracted from the logs
which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have Splunk_TA_sourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app
[cisco:estreamer:data]
rename = cisco:sourcefire
https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes
Hey lakshman239
i have this add-on: "https://splunkbase.splunk.com/app/3662/"
runing in it's latest version: 3.5.4
and do i have to use this config?
[cisco:estreamer:data]
rename = cisco:sourcefire