I just got Splunk Enterprise 6.5 up and running with Home Monitor 4.5.1 to ingest my pfsense 2.3.2_1 logs. I'm noticing that the field extractions seem to be off in Home Monitor.
I've adjusted the following but am wondering if there is other items that may have changed from 2.3 to 2.3.x that may need to be updated in the home monitor app.
pfsense: EXTRACT-Application changed 9 to 7 ^(?:[^ \n]* ){7}(?P \w+)
The ip_spec_4 field seems to be off as well but I'm not certain what it should be extracting. Current output is 0x0,,47,61089,0,none,6,tcp,40,77.252.229.149,173.26.98.103,60148,23,0,S,2904187495,,56516,, I first thought it was IPv version but that's covered under ip_v field.
... View more