Hi
Need help.
I have a Splunk setup environment which is using Splunk version 8.2 with Cisco Firepower eStreamer service (Splunk Add-On) version 5 and Splunk Add-on for Carbon Black 2.1 (latest) .
It working wrongly in Splunk ver 8 which is parse error , those event having parse error and unable to identify key fields for events.
Not sure what cause this or missing any setting.
I follow the guideline from https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...
I have been through all articles in community and as well that similar to the error, but no luck.
Any advice on getting this working is much appreciated. Thank you.
Below is the setup info.
Cisco Firepower eStreamer service (Splunk Add-On) version 5
Issue : CISCO Firepower parsing issue:
Device Model: Cisco Firepower 1010 Firewall
Collecting method: Syslog to Splunk HF > Indexer
Splunk Add-on installed on both HF and SH: https://splunkbase.splunk.com/app/3662 (Latest Version)
Splunk HF and SH Version: 8.2.1
Source Type: cisco:firepower:syslog
Source Type configuration: Tried Auto and Regex as well
Splunk Add-on for Carbon Black 2.1 (latest)
Meantime, it happen same to the CarbonBlack bit9 json parsing issue:
Issue : Multiple events were merged by Splunk hence failed to parse, some of the event are without any issue though. Checked raw logs has no different patterns and tried to save the raw logs to text file and upload manually, it works without any problem.
Collecting method: UF > Indexer
Splunk Add-on installed: https://splunkbase.splunk.com/app/2790 (Latest Version)
Splunk HF and SH Version: 8.2.1
Source Type: bit9:carbonblack:json
Source Type configuration: Tried Auto and Regex as well