Hello. 

I would like to ingest data from a Fireeye HX, viewing the data either in the Fireeye app or through our own dashboards.   However, although the data is being indexed the fields are not being extracted/labelled in a useful way.

• I  am running Splunk 8.2.2 on Linux.   I have an indexer cluster and SH cluster.
• I am using the latest app version, 3.8.8.
• The Fireeye HX is sending data via TCP in CEF format.

On the CM:

# cat etc/master-apps/_cluster/local/inputs.conf
<snip>
[tcp://:1234]
index = fe_data
sourcetype = hx_ce_syslog

# ls etc/master-apps/FireEye_v3
appserver bin default lookups metadata README.md static

I created local versions of props.conf and transforms.conf . 

In props.conf I uncommented this line as instructed (as we want the data in our own index).

# Uncomment the next line to send FireEye data to a separate index called "fireeye"
TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in

In transforms.conf I changed entries like this to use our index:

[fix_HX_CEF_in]
REGEX=.*:\sCEF\:\d\|mandiant\|mso\|
DEST_KEY=_MetaData:Index
FORMAT=fe_data

Q: Did I need to change FORMAT to use our index if I have specified the index in inputs.conf?

Q: Am I right in thinking I don't need the FireEye app installed on the SHC if I don't want to use the app there?  i.e. it is enough for the indexers to use the app's conifguration to parse the data.

Q: If the above is correct, does anyone know why the fields are not being extracted as, for example, cef_name?