All Apps and Add-ons

Cisco eStreamer eNcore Add-on for Splunk does not properly parse the field URL

New Member

My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk

does not extract it properly

example:
.... url=https:/// ......

0 Karma

SplunkTrust
SplunkTrust

Yes , if you are using cisco:sourcefire sourcetype as part of https://splunkbase.splunk.com/app/1808/ which has CIM complaince for field extractions

0 Karma

SplunkTrust
SplunkTrust

In our instance, I can see url=https://outlook.office.365.com and don't see any issues with that? If you don't want https://, you can use rex to remove them right?

0 Karma

New Member

Hey lakshman239

i cant see the field url at all, and i don't have any custom props or transform to parse it
and yes i can use a rex to remove the value "https", but that's not what i want
what i want to see is the field url extracted from the logs

0 Karma

SplunkTrust
SplunkTrust

which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have SplunkTAsourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app
[cisco:estreamer:data]
rename = cisco:sourcefire

https://docs.splunk.com/Documentation/AddOns/released/Sourcefire/DataTypes

0 Karma

New Member

Hey lakshman239

i have this add-on: "https://splunkbase.splunk.com/app/3662/"
runing in it's latest version: 3.5.4

and do i have to use this config?
[cisco:estreamer:data]
rename = cisco:sourcefire

0 Karma