All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

FireEye app and eMPS

hcpr
Path Finder
‎04-24-2014 04:58 AM

Hi.

I hope someone has had success with this. I've gotten the FireEye app up and working with the xml alerts from our WebMPS, so I added reporting from our email MPS.
The data shows up in Splunk, but the FireEye app does not see this data for some reason.
I haven't started digging much in the problem, but I suspect that there are some fields that differ between these two.

Has anyone else looked into this?

Thanks.

Tags (2)
0 Karma
Reply

PrinceOfEval
Path Finder
‎04-24-2014 09:06 AM

Howdy.

I've looked into this a little bit. The FireEye app on SplunkBase seems to be pretty outdated and not very good. If you look at the props.conf and transforms.conf that are included you'll see that the field extractions don't seem to address the email MPS alerts at all. For example, there's no extraction for the source email address.

If you have the logs in XML format, you can use "kv_mode = xml" in props.conf to automatically extract all the XML fields. The automatic extraction tends to yield very complicated field names. This is kind of messy, but you can make it a little better by creating field aliases to give simpler names to the fields you really care about.

0 Karma
Reply

hcpr
Path Finder
‎04-25-2014 12:46 AM

Thanks for the tip on kv_mode. I was starting to look in that direction myself.
It's going to be a bit time consuming I think, but I'll see what I can do.

I can always hope that the "official" app is updated 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...