FYI
The latest 1.0.14 app has some invalid configs in props/transforms. Splunkd.log complains about the following:
WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_header'
WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_body'
Neither leef_header or leef_body stanzas are in transforms.conf, which are being used by:
REPORT-leef_data = leef_header, leef_body
Any plans on separating this out into a dedicated addon and app?
@ChrisBell04 : how's your props and transforms look like..??
run this to check for any invalid configs$SPLUNK_HOME/bin/splunk btool check
a fresh download of the app from splunkbase, has the invalid entries splunk is complaining about. There are no leef_ stanzas in transforms.conf. yes, its an easy fix... reporting it so the author will eventually correct.
\VormetricDataSecurityLite\default\props.conf
[leef]
TRANSFORMS-syslog = test_for_syslog
TRANSFORMS-unknown = test_for_not_leef
TRANSFORMS-host = leef_host
REPORT-leef_data = leef_header, leef_body
SHOULD_LINEMERGE = false
TIME_PREFIX = devTime=
TIME_FORMAT = %Y-%m-%dT%H.%M.%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = UTC