We have a similar issue. Splunk support did not have an answer. One possible solution might be "CEF Extraction Add-on for Splunk" https://splunkbase.splunk.com/app/487/ I have not found documentation on it and it is not supported by Splunk. I have also see references to a partial solution using some changes to the configuration on the splunk agent side. With Splunk sending their CEF product EOL, I am surprised they don't have a corporate recommendation. Anyone have more concrete solutions?
... View more