Hello there,
We are looking to use the Custom option to send vpc flow log data to Splunk Cloud. Previously we were using the default set of fields. There's a need to ingest additional fields without using the "all fields" option in order to save on data ingest.
The issue appears to be with the Regex where the add-on cannot mix and match field names, rather it needs to be in a particular order otherwise the data is not parsed properly.
Default Format:
${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
Custom Format
${version} ${account-id} ${vpc-id} ${subnet-id} ${interface-id} ${instance-id} ${flow-direction} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${pkt-srcaddr} ${pkt-dstaddr} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
This is preventing us from being able to include additional fields that can be useful to our team, without ingesting everything. Has anyone else encountered this problem before?