Solved: Splunk websense content gateway - URL's containing...

gjanders · ‎11-21-2016

This post is for the team managing the WebSense content gateway add on, and for anyone else who experiences this issue.

For the websense:cg:kv sourcetype, the fields are been auto-extracted by the key=value method, as per Splunk's default.
The issue we are hitting with this is some URL's include the ampersand symbol, or &.

Due to this the entries such as:
url=http://pixel.yabidos.com/nflrc.gif?cb=1479701935398&ver=1.0r5&qid=636373f5936373f5930353&p=8CU3827QO...

Beomes many fields, the url becomes:
http://pixel.yabidos.com/nflrc.gif?cb=1479701935398

Which is problematic, we are working around this by creating the extraction:
url=(?P\S+)

But perhaps the application needs an update to handle this scenario.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

gjanders · ‎11-21-2016

The question is actually answered in the post, however I would like a comment from anyone managing the application or anyone else expericing the issue...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

gjanders · ‎11-21-2016

The question is actually answered in the post, however I would like a comment from anyone managing the application or anyone else expericing the issue...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Splunk websense content gateway - URL's containing the ampersand (&) symbol are not been extracted correctly

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes