Hi, I configure cbr cb-event-forwarder to output to Splunk via the following ways but over at splunk enterprise, the event receiving was of something like ###.....|....###...start...###{cb json}###end###.

Tried setup:
1) UF installed on CBR server, cb-event-forwarder output to file, UF monitor json file and forward to Splunk enterprise. Carbon black TA Add-On installed on Splunk enterprise. sourcetype is set correctly over at UF input.conf

2) CB event forwarder output to Splunk HEC, same issue

3) Verified that the CB Event logs does not contain ###...###, just the {cb json content}

5) Change sourcetype in input.conf as json, Splunk enterprise parses the json event correctly, just that not CIM mapped.

4)UF is linux, Splunk enterprise is on Windows.

Does Carbon black TA add on work on Windows Splunk? Please help.
,Hi, I have tried with 2 methods,

1) Install UF on Carbon Back response server, cb event forwarder event to JSON file, UF monitor and forward to indexer/search head. At UF side, has indicated the sourcetype correctly. At indexer side, I have the carbon black app add-on installed. Event receive at indexer side would start with ###....###...start..{json content}###...end...###

2) Same issue occur if i configure cb event forwarder to forward to splunk (HEC)

3) If Ii use native json sourcetype, I would see the json parse correctly, but not mapped to CIM

4) UF is linux, indexer is windows. However, I didnt encounter issue with both UF and indexer are linux.

What is wrong here?
Does CB Splunk add-on not run on windows splunk?

Please help.