Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to view raw events in Stream??

tjago11
Communicator
‎09-09-2019 11:43 AM

Getting a Splunk Stream feed from a Gigamon tap for HTTP.

I can see all the default fields to pull from the HTTP stream, including the one I care about "src_headers". However, I can't log the full src_headers because it potentially contains authentication tokens and other stuff I don't want to log. I have been able to extract a couple fields successfully by guessing at the regex, but been thrashing on the rest.

Is there some way to view the data that is coming to Stream without being forced to log all of it?? Something like a preview??

Would be nice to see a sample event before logging everything. Thanks.

-Tyler

0 Karma
Reply

jacobpevans
Motivator
‎09-09-2019 02:41 PM

Please provide example data, what you want the data to look like, and the regex you've constructed so far. Be sure to censor any sensitive data.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

tjago11
Communicator
‎09-12-2019 07:23 AM

That's the problem, I don't have sample data. 😉

My data is getting fed from a Gigamon tap at the LTM level. I don't have visibility into the raw tap data and I don't want to log it because it has authentication tokens and other scary stuff.

Working with the OTB HTTP Stream Protocol:
https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/FileTransfer#HTTP

The field that I want to build an extraction for is src_headers:
src_headers All HTTP headers sent from client to server http.cs-headers

I was able to extract a known header element that is added by an application team using this:
x-parentspantoken[\s:=]+(.{36})

The one I'm struggling with is the x-forwarded-for that is added by our F5 devices. I have this regex:
x-forwarded-for([:\s]+[\d.:\s,]+)

Which is just a guess because I can't see the actual raw header to know if that is right. Possibly a casing issue?? Tried adding (?i) to the front and it gave me an error:
Invalid regex Expression

Poop.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...