Hi 

Need help. 

I have a Splunk setup environment which is using Splunk version 8.2  with Cisco Firepower eStreamer service (Splunk Add-On) version 5 and  Splunk Add-on for Carbon Black 2.1 (latest) . 
It working wrongly in Splunk ver 8 which is parse error , those event having parse error and unable to identify key fields for events. 

Not sure what cause this or missing any setting. 

I follow the guideline  from https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl...

and Splunk doc  (invalid link)

I have been through all articles in community and as well that similar to the error, but no luck. 

Any advice on getting this working is much appreciated.  Thank you. 

Below is the setup info. 

Cisco Firepower eStreamer service (Splunk Add-On) version 5

Issue : CISCO Firepower parsing issue:

Device Model: Cisco Firepower 1010 Firewall

Collecting method: Syslog to Splunk HF > Indexer

Splunk Add-on installed on both HF and SH: https://splunkbase.splunk.com/app/3662 (Latest Version)

Splunk HF and SH Version: 8.2.1

Source Type: cisco:firepower:syslog

Source Type configuration: Tried Auto and Regex as well

Splunk Add-on for Carbon Black 2.1 (latest) 

Meantime, it happen same to the CarbonBlack bit9 json parsing issue:

Issue : Multiple events were merged by Splunk hence failed to parse, some of the event are without any issue though. Checked raw logs has no different patterns and tried to save the raw logs to text file and upload manually, it works without any problem.

Collecting method: UF > Indexer

Splunk Add-on installed: https://splunkbase.splunk.com/app/2790 (Latest Version)

Splunk HF and SH Version: 8.2.1

Source Type: bit9:carbonblack:json

Source Type configuration: Tried Auto and Regex as well