Hello all and hopefully @rechteklebe 

 I currently have PCAP analyzer to the point that I can copy over a *.pcap or *.pcapng" file to the monitor folder and it will run it through tshark and make the output file that Splunk then ingests and powers the dashboards with.

I found that Suricata on pfSense outputs the pcap files as log.pcap.<I think date data here>.  Example log.pcap.1720627634

These seem to not get converted and ingested.  I went to make a whitelist in the inputs.conf but running a btool check it comes back as an invalid key in stanza.  I remembered the webUI section to do this also does not offer a whilelist/blacklist stanza so I guess you have that disabled somehow.  I'm assuming one or some of you python scripts are filtering if the file is a *.pcap or *.pcapng.

I'm finding it not an option to change file name format in the Suricata GUI in pfsense, or have rsync change the file names on copy or to have a bash script do it on the Linux host the files get moved to.  Are there a set of python scripts I can change this whitelisting in?  Or a way to enable whitelisting at the inputs.conf level?  Or could a transforms fix this?