Hello. I would like to ingest data from a Fireeye HX, viewing the data either in the Fireeye app or through our own dashboards. However, although the data is being indexed the fields are not being extracted/labelled in a useful way. I am running Splunk 8.2.2 on Linux. I have an indexer cluster and SH cluster. I am using the latest app version, 3.8.8. The Fireeye HX is sending data via TCP in CEF format. On the CM: # cat etc/master-apps/_cluster/local/inputs.conf <snip> [tcp://:1234] index = fe_data sourcetype = hx_ce_syslog # ls etc/master-apps/FireEye_v3 appserver bin default lookups metadata README.md static I created local versions of props.conf and transforms.conf . In props.conf I uncommented this line as instructed (as we want the data in our own index). # Uncomment the next line to send FireEye data to a separate index called "fireeye" TRANSFORMS-updateFireEyeIndex = fix_FireEye_CEF_in, fix_FireEye_CSV_in, fix_FireEye_XML_in, fix_FireEye_JSON_st, fix_HX_CEF_in, fix_HX2_CEF_in In transforms.conf I changed entries like this to use our index: [fix_HX_CEF_in] REGEX=.*:\sCEF\:\d\|mandiant\|mso\| DEST_KEY=_MetaData:Index FORMAT=fe_data Q: Did I need to change FORMAT to use our index if I have specified the index in inputs.conf? Q: Am I right in thinking I don't need the FireEye app installed on the SHC if I don't want to use the app there? i.e. it is enough for the indexers to use the app's conifguration to parse the data. Q: If the above is correct, does anyone know why the fields are not being extracted as, for example, cef_name?
... View more