Hello,
According to the documentation of Splunk App for Stream, 'src_ip' value should capture the 'X-Forwarded-For' header value instead of the original src_ip. But it doesn't seem to work on my instance.
As you can see from following attached image, there is a "X-Forwarded-For" header in my src_headers attribute, but the src_ip has different value.
I'm using Splunk 6.3.1 and Stream App 6.4.1.
Thank you in advance.
hi kwchang,
Seems like a bug.. would you by any chance be able to provide a sample .pcap file that exhibit this problem?
hi kwchang,
Seems like a bug.. would you by any chance be able to provide a sample .pcap file that exhibit this problem?