Can you expand on this statement.
We have only seen this when using the CLI as opposed to within our TA.
On a forwarder I start the client with this.
/apps/splunk/etc/apps/TA-eStreamer/bin>nohup ./splencore.sh start &
TOP portion of props.conf, added the LINEMERGE line, it did not work. It still merges the line when a "burst" of attacks come from the same source IP, DEST IP and country. ie china, but different PORTS.
[cisco:estreamer:log]
EXTRACT-encore_log_fields = ^(?P\d+-\d+-\d+\s+\d+:\d+:\d+,\d+)\s+(?P[^ ]+)\s+(?P\w+)\s+(?P.+)
SHOULD_LINEMERGE = false
[cisco:estreamer]
[cisco:estreamer:data]
SHOULD_LINEMERGE = false
TRUNCATE = 0
TIME_PREFIX = event_sec=
... View more