Not sure what happened to the "time_prefix" in the question. i doubled checked my props.conf and it is
"TIME_PREFIX = \"occurred\":\s" -- not sure why it pasted it as "TIME_PREFIX = \"occurred\":s" .. So i can assume it's correct with "TIME_PREFIX = \"occurred\":\s"..
I have a elementary understand on how to write regexp to capture data in our other systems (flat files, etc). But not sure how to create an expression on EOF in Splunk.
As for line break the default is "((?!))". <-- this is as negitive lookahead. But it doesn't make sense because there nothing to look back to.
Would something like this be better "(\$(?!}))"
Below is the alerts sent to Splunk
{
"msg": "extended",
"product": "Web MPS",
"version": "7.4.0.254758",
"appliance": "my-fireeye-pri.company.net",
"alert": {
"src": {
"mac": "00:00:00:00:00:00",
"ip": "169.250.0.1",
"host": "IM-testing.fe-notify-examples.com",
"vlan": "0",
"port": "10"
},
"severity": "minr",
"alert-url": "https://127.0.0.1/event_stream/events_for_bot?ev_id=9200&lms_iden=00:24:91:7A:5D:F4",
"explanation": {
"malware-detected": {
"malware": {
"name": "FireEye-TestEvent-SIG-IM",
"stype": "bot-command",
"sid": "30"
}
},
"protocol": "tcp",
"analysis": "content"
},
"occurred": "2015-11-05 20:48:26+00",
"id": "9200",
"action": "notified",
"dst": {
"ip": "127.0.0.20",
"mac": "00:44:44:66:44:BB",
"port": "20"
},
"name": "infection-match"
}
}
... View more