Hi - We're on R80.10 and the logs are coming through fine into a separate index.
I've installed the Check Point App for Splunk and set the source Type to cp_log
However none of the fields are properly searchable?
Do I have to use the Extract Fields process? When I tried this with a ; delimiter I get the error below, is this something I'm doing wrong? thanks for any help!
Error in 'rex' command: regex="(?ms)^(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))(?:\x3b)?(?P(?:"(?:[^\"]|.)"|(?:(?:(?!(?:\x3b)|\|").)|(?:.))))" has exceeded the configured depth_limit, consider raising the value in limits.conf.