Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Tomcat pattern not working

_joe
Contributor
‎08-09-2021 12:51 PM

Hello all,

I was wondering if I could please get some suggestions on why Tomcat isn't honoring my pattern values. I am following the instructions here:  https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Recommendedfields

As recommended by Splunk documentation, we setup the following in className="org.apache.catalina.valves.AccessLogValve " in of server.xml

prefix="localhost_access_log_splunk" suffix=".txt"
pattern="%t, x_forwarded_for=?%{X-Forwarded-For}i?, remote_ip=?%a?,....

The filename and fields log as expected.


The only issue is instead of quotation (") marks, I am just seeing question marks (i.e. ...x_forwarded_for=?-?, remote_ip=?1.2.3.1?, remote_host=?1.2.3.2?,..)

Splunk Add-on for Tomcat: https://splunkbase.splunk.com/app/2911/

 

Labels (1)
Labels
Preview file
62 KB
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2021 09:37 AM

How did you input those settings? Quotes are notorious for being "the wrong ones", especially when copy-pasted from an unknown source.

0 Karma
Reply

MuratKuru
Explorer
‎10-22-2021 02:07 AM

I have the same problem.
Where you able to solve this issue? 

0 Karma
Reply

_joe
Contributor
‎11-23-2021 09:32 AM

Sorry, not really. It seems some Tomcat instances need to be escaped by something different, I'm no sure why. 

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...