Zscaler NSS feed format tweaks for regex compliance for 'zscalernss-fw' & 'zscalernss-dns'

[ducktailedplatypus]

The available default feed formats for ZScaler NSS sourcetypes 'zscalernss-fw' and 'zscalernss-dns' do not have the correct format OOTB to comply with the Zscaler NSS SC4S Source filter regex.

The date section of the 'named value pairs' output feed type for these specific feeds can be replaced with '%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}' (i.e. the format from the 'zscalernss-web' 'Splunk CIM' feed) to get it work again.

This is in addition to the currently documented addition of vendor and product fields to the end of the feed format.

Does the documentation need to the updated to include this feed change?

[ryanfaircloth]

yes can you make a pr for this?

[rjha-splunk]

As there is no response on the issue, we are closing the issue.