Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Tomcat pattern not working

_joe
Communicator
‎08-09-2021 12:51 PM

Hello all,

I was wondering if I could please get some suggestions on why Tomcat isn't honoring my pattern values. I am following the instructions here:  https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Recommendedfields

As recommended by Splunk documentation, we setup the following in className="org.apache.catalina.valves.AccessLogValve " in of server.xml

prefix="localhost_access_log_splunk" suffix=".txt"
pattern="%t, x_forwarded_for=?%{X-Forwarded-For}i?, remote_ip=?%a?,....

The filename and fields log as expected.


The only issue is instead of quotation (") marks, I am just seeing question marks (i.e. ...x_forwarded_for=?-?, remote_ip=?1.2.3.1?, remote_host=?1.2.3.2?,..)

Splunk Add-on for Tomcat: https://splunkbase.splunk.com/app/2911/

 

Labels (1)
Labels
Preview file
62 KB
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2021 09:37 AM

How did you input those settings? Quotes are notorious for being "the wrong ones", especially when copy-pasted from an unknown source.

0 Karma
Reply

MuratKuru
Explorer
‎10-22-2021 02:07 AM

I have the same problem.
Where you able to solve this issue? 

0 Karma
Reply

_joe
Communicator
‎11-23-2021 09:32 AM

Sorry, not really. It seems some Tomcat instances need to be escaped by something different, I'm no sure why. 

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...