Re: Splunk Add-on for Tomcat pattern not working

_joe · ‎08-09-2021

Hello all,

I was wondering if I could please get some suggestions on why Tomcat isn't honoring my pattern values. I am following the instructions here: https://docs.splunk.com/Documentation/AddOns/released/Tomcat/Recommendedfields

As recommended by Splunk documentation, we setup the following in className="org.apache.catalina.valves.AccessLogValve " in of server.xml

prefix="localhost_access_log_splunk" suffix=".txt"

pattern="%t, x_forwarded_for=?%{X-Forwarded-For}i?, remote_ip=?%a?,....

The filename and fields log as expected.

The only issue is instead of quotation (") marks, I am just seeing question marks (i.e. ...x_forwarded_for=?-?, remote_ip=?1.2.3.1?, remote_host=?1.2.3.2?,..)

Splunk Add-on for Tomcat: https://splunkbase.splunk.com/app/2911/

PickleRick · ‎11-23-2021

How did you input those settings? Quotes are notorious for being "the wrong ones", especially when copy-pasted from an unknown source.

MuratKuru · ‎10-22-2021

I have the same problem.
Where you able to solve this issue?

_joe · ‎11-23-2021

Sorry, not really. It seems some Tomcat instances need to be escaped by something different, I'm no sure why.

Splunk Add-on for Tomcat pattern not working

universal forwarder

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann