For some reason, 1 liner entries are send to my splunk, after incapsula logs shifted to LEEF format. Initially, we were using CEF format.
sourcetype:incapsula
1 liner log entries look like this:
startTime:xxxxx
startTime:xxxx
endTime:xxxxxx
Vendor is unable to change on their end, anything we can do the Splunk side, to make it such that the entries can be recognized by Splunk?
↧