I have json data that incoming from FIREEYE but can't parsing.
I'm working with cluster environment.
inputs.conf on the heavy forwarder:
The events shown in Splunk but not parsing.
I think you should assing json KV_MODE for your sourcetype, stantz like this in props.conf
KV_MODE = json
May be you need to set TIMEFORMAT and LINEBREAKER as well.
If the above doesn't work thanks to send sample from log.
As I mentioned - I'm working with cluster environment.
accordingly, Where I need to edit the props.conf? in the cluster master?