Hi,
The Splunk setup in my environment contains Heavy Forwarder (HF) before search time. I'm currently using version 3.0.9 Fireeye Add-on from Splunkbase in the below URL and have it installed in HF & Search Head (SH) to help parse those Fireeye Syslog Events:
https://splunkbase.splunk.com/app/1904/
However, in some of the raw events, the header got stripped off and only ingested those in { } as the "_raw" events in Splunk when i search for events in the GUI. This resulted in Splunk not ingesting the complete set of raw events (from header till the end of string). Was looking through the stanzas in transforms.conf and observed this particular regex which is trying to extract those in the { }.
Version 3.0.9
REGEX = (?s).?fenotify.?(?{.*})
FORMAT = $1
DEST_KEY = _raw
Version 3.1.1
REGEX = (?s).?fenotify.?({.*})
FORMAT = $1
DEST_KEY = _raw
Apparently both versions seems to have this "stripping header" stanza which may be the main cause of why my Fireeye Syslog events got truncated. Any recommendation to solve this issue? Does upgrading to the latest version (from 3.0.9 to 3.1.1) help to resolve the issue? Or can i just remove those stanzas in my current version? And, if I do that, will there be any consequences?
Thanks is advance!
