Getting a Splunk Stream feed from a Gigamon tap for HTTP.
I can see all the default fields to pull from the HTTP stream, including the one I care about "src_headers". However, I can't log the full src_headers because it potentially contains authentication tokens and other stuff I don't want to log. I have been able to extract a couple fields successfully by guessing at the regex, but been thrashing on the rest.
Is there some way to view the data that is coming to Stream without being forced to log all of it?? Something like a preview??
Would be nice to see a sample event before logging everything. Thanks.
Please provide example data, what you want the data to look like, and the regex you've constructed so far. Be sure to censor any sensitive data.
That's the problem, I don't have sample data. 😉
My data is getting fed from a Gigamon tap at the LTM level. I don't have visibility into the raw tap data and I don't want to log it because it has authentication tokens and other scary stuff.
Working with the OTB HTTP Stream Protocol:
The field that I want to build an extraction for is src_headers:
src_headers All HTTP headers sent from client to server http.cs-headers
I was able to extract a known header element that is added by an application team using this:
The one I'm struggling with is the x-forwarded-for that is added by our F5 devices. I have this regex:
Which is just a guess because I can't see the actual raw header to know if that is right. Possibly a casing issue?? Tried adding (?i) to the front and it gave me an error:
Invalid regex Expression