From 21b37d78e9697208963bd2fefba9f12ebfa12a0b Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Fri, 17 Apr 2020 16:56:44 -0400
Subject: [PATCH] Update cef.conf.tmpl

---
 package/etc/conf.d/filters/common_event_format/cef.conf.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
index f64258e..f6c07fb 100644
--- a/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
+++ b/package/etc/conf.d/filters/common_event_format/cef.conf.tmpl
@@ -1,6 +1,6 @@
 
 filter f_cef {
-    message('(<\d*>)1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
+    message('(<\d*>)?1? ?(?:(.*) |^)(CEF:0\|.*)' flags(store-matches)
     );
 };
 filter f_iscef {