All Apps and Add-ons

tomcat:access:splunk:log --> why are there question marks before and after some field values like remote_ip

MuratKuru
Explorer

Hi All
I have followed the instructions under 

"https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Recommendedfields"

But as you can see on the pic below there are question marks before and after the field value.
Why is that needed?

MuratKuru_0-1634889272613.png

Thank you in advance for your help.

Labels (2)
0 Karma

PickleRick
Ultra Champion

As the doc you pointed to says, you defined the log pattern this way. I suppose (I don't know this addon so I only speculate), the parsing rules should retrieve the proper values from the log easier this way since they are delimited by those question marks. Not a pretties solution, but should probably work.

So, you defined a pattern and you're getting the raw events in the format you defined yourself.

The thing to check is whether they are getting parsed properly.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...