Solved: Palo/Splunk Parsing Issue - Field values are Trunc...

ghostdog920 · ‎06-15-2021

Having a strange issue and not sure what my culprit/problem is. Have a panorama to syslogng to Heavy Forwarder to Indexer with a single search head. I see the parsing (I think) where fields are found and values= but they are truncating. Specifically, my raw event has this in it:

before_change_detail="Emergency by IP { static [ ""Jim CentOS"" ]; } " after_change_detail=Emergency by IP { }

but when i look at the field values, this is what i get:

Any ideas on why my field values are getting cut short?

ghostdog920 · ‎07-01-2021

Finally got this all straightened out. Needed to use cef utils for splunk along with a separate syslog destination from my panorama with custom cef events setup for the config section to get what i wanted.

View solution in original post

ghostdog920 · ‎07-01-2021

Finally got this all straightened out. Needed to use cef utils for splunk along with a separate syslog destination from my panorama with custom cef events setup for the config section to get what i wanted.

Palo/Splunk Parsing Issue - Field values are Truncating

field extraction

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience