All Apps and Add-ons

tomcat:access:splunk:log --> why are there question marks before and after some field values like remote_ip


Hi All
I have followed the instructions under 


But as you can see on the pic below there are question marks before and after the field value.
Why is that needed?


Thank you in advance for your help.

Labels (2)
0 Karma

Ultra Champion

As the doc you pointed to says, you defined the log pattern this way. I suppose (I don't know this addon so I only speculate), the parsing rules should retrieve the proper values from the log easier this way since they are delimited by those question marks. Not a pretties solution, but should probably work.

So, you defined a pattern and you're getting the raw events in the format you defined yourself.

The thing to check is whether they are getting parsed properly.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...