My eStreamer system outputs logs with a field called "URL" and the app Cisco eStreamer eNcore Add-on for Splunk
does not extract it properly
.... url=https:/// ......
i cant see the field url at all, and i don't have any custom props or transform to parse it
and yes i can use a rex to remove the value "https", but that's not what i want
what i want to see is the field url extracted from the logs
which version of TA-eStreamer do you have ? I have 3.5.3 . Also you need to have SplunkTAsourcefire add-on for CIM/field extraction. Do you have both of them? Also, TA-eStreamer/local/props.conf may need to have following if you are using the sourcetypes from the cisco app
rename = cisco:sourcefire