Has anyone created props.conf and transforms.conf for the Splunk Add-On for Cisco ESA/IronPort AMP logs?
Each step creates a log entry and the ESA App only does the MID. Each of the other events need to be split to make a meaningful alert.
Such As:
To:
From:
Subject:
Attachment:
Verdict:
queued for delivery:
Dropped by AMP:
↧