This is a template which can be used to quickly onboard CEF-formatted data. Note that this is NOT a finished add-on, but is meant to help you create your own. Also note that some of the regular expressions used are not high performing, so it is not suggested that this be used on a high-volume sourcetype.
Aplura, LLC
1.4
True
- linebreaking
- timestamping
- Make a copy of this app, which will be your new TA
- In the new TA:
- Edit the README as needed
- Edit the
props.conf, adjusting themy_sourcetypeto the correct sourcetype for your data - Edit the
props.confand change theREPORT-*directives so that they start with the name of your sourcetype, instead ofsourcetype. - Edit the
transforms.confin the same way so that theprops.confentries match the stanza names intransforms.conf
- Distribute the TA as needed to your search heads and indexers.
The cef_splunk_fields.csv file contains a listing of the CEF fields and the aliases that are created. Fields which are not listed with a Splunk field will be extracted to the CEF field.
- Initial release
- Fix for CIM mappings (thanks, Greg!)
- Fix for the initial extraction to expect "CEF" at the start of the event
- Fix typo for dest (commented out by default)
- Fix typo for src_nt_host
- Thanks to tonysweet for reporting these!
- Fix another typo (thanks again tonysweet!)
- Added EVALs for dest, dvc, src