All Apps and Add-ons

Why is the FireEye App for Splunk Enterprise v3 not properly parsing data?


Good day,

We have already set up the app, but the data coming from FirEye is not properly parsed or fields are missing. To have an idea on our setup, please see below.

FireEye appliance configured rsyslog sends to a heavy forwarder that forwarders to our indexers. In the heavy forwarder, syslog files are being dumped in a file using syslog-ng. From there, we define the directory path as data inputs which are then later being forwarded as the file updates/logs.

We have installed the FireEye App on the Search Head, but no TA for any of the indexers.

Any thoughts on what items we are still missing? Parsing the app alone will be tedious work.

0 Karma


jmallorquin is most likely correct in that additional data is being added to the beginning of each event packet which is preventing the transforms from parsing the data correctly. Thus the sourcetype and eventtype is probably not being correctly populated which prevents the dashboards from displaying the data correctly (if at all).

Your setup is a bit unique in that you are not merely sending the data directly via HTTPS or syslog. Due to the additional complexity (HF -> Indexer -> read from file) the events are being munged somewhere. Since this scenario is specific to your instance, I would recommend contacting me via the Help -> Send Feedback mechanism within the app itself.

Then we will post a generic solution here for the rest of the folks after we figure out a graceful solution.

Just as a reminder, for more vanilla installs. Please use our configuration guide (PDF) found at the top of the documentation section here:

0 Karma


Hi @TonyLeeVT thanks for your answer. I will be in touch with you using the Help function.

0 Karma



Probably your syslog service in the heavy forwarding is adding info to the events. Have you try to send directly to hf by tcp port?

Hope i help you

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...