×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lzahariev
Explorer
Member since: ‎10-25-2021
‎10-28-2021
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎10-25-2021
View All

Re: No data can be seen from Forcepoint Firewall i...

by in Getting Data In
‎10-26-2021 07:52 AM
‎10-26-2021 07:52 AM
Hi! Just for the record, we've made progress, whereby we've changed the value of 'LINE_BREAKER = ' from the default '([\r\n]+)' to '<record>' in the $SPLUNK_HOME/etc/system/local/props.conf file, because the indexer could not seem to parse the incoming .xml data, as configured in that format on the Forecepoint SMC.  The above was determined from this article: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-do-event-break-for-XML-file-like-this/m-p/383203 Now we can see event data in the Splunk Ent. Web UI > Apps > Forcepoint, which we couldn't before, but in the Search & Reporting app the event data still cannot seem to be broken into columns if changed to Table view - not sure if that's how data is supposed to be displayed in the first place... Thanks for your input PickleRick! Much appreciated! Regards, Lubo ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-28-2021 05:12 AM