Getting Data In

Splunk Add-on for Tomcat pattern not working


Hello all,

I was wondering if I could please get some suggestions on why Tomcat isn't honoring my pattern values. I am following the instructions here:

As recommended by Splunk documentation, we setup the following in className="org.apache.catalina.valves.AccessLogValve " in of server.xml

prefix="localhost_access_log_splunk" suffix=".txt"
pattern="%t, x_forwarded_for=?%{X-Forwarded-For}i?, remote_ip=?%a?,....

The filename and fields log as expected.

The only issue is instead of quotation (") marks, I am just seeing question marks (i.e. ...x_forwarded_for=?-?, remote_ip=?, remote_host=?,..)

Splunk Add-on for Tomcat:


Labels (1)
0 Karma

Ultra Champion

How did you input those settings? Quotes are notorious for being "the wrong ones", especially when copy-pasted from an unknown source.

0 Karma


I have the same problem.
Where you able to solve this issue? 

0 Karma


Sorry, not really. It seems some Tomcat instances need to be escaped by something different, I'm no sure why. 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...