Hello members
i'm facing problems regarding parsing the event details on splunk i have forwarded the events from HF to indexers and now it's able to search but i'm facing issues with field extractions and event details because the messages are truncated for example
if i have something like this sample event
CEF:0|fireeye|HX|4.8.0|IOC Hit Found|IOC Hit Found|10|rt=Jul 23 2019 16:54:24 UTC dvchost=fireeye.mps.test categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host
the categoryDeviceType parameter is truncated in field extraction so it display only forensic and other string is truncated
so can any one please help on this matter
my props.conf is
[trellix]
category = Custom
pulldown_type = 1
TIME_FORMAT = ^<\d+>
EVAL-_time = strftime(_time, "%Y %b %d %H:%M:%S")
TIME_PREFIX = %b %d %H:%M:%S
It looks like you may be using a default extract which takes name=value and the value is being terminated at the next space. You will probably have to do some field specific extractions to override these defaults.
could you help me with examples please ?
cuz i tried to find an app for Trellix hx end-point security but i can't find it
THANKS
Please don't create duplicate threads on the same subject. You already asked about parsing HX events here https://community.splunk.com/t5/Deployment-Architecture/forwarded-events-and-field-extraction/m-p/69...