I'm currently onboarding juniper srx firewall data with the Splunk_TA_juniper. Unfortunately the format in the app does not match the logs produced by our devices.
For example the app does contain the following in transforms.conf: [force_sourcetype_for_junos_firewall]
DEST_KEY = MetaData:Sourcetype
REGEX = \s+RT_FLOW:|\s+RT_IDS:
FORMAT = sourcetype::juniper:junos:firewall
Our logs look like this: <Timestamp> <Hostname> RT_FLOW <Message>
So in our logs there is no colon after RT_FLOW. Is this a known problem with SRX firewalls in combination with the TA? I just wanted to make sure that there is no simple way around this before I go and rewrite all the regex to match our logs.