https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77150#M15786 <P>I couldn't find a lot of details related to LEEF, Log Event Enhanced Format. I can speak to this question in a more general sense. With respect to getting data in, if LEEF is truly a format and information is still collected via log file or network input (syslog) then collection can be done with Splunk with little to no effort. If LEEF specifies proprietary methods for data collection (i.e. OPSEC) then Splunk can still satisfy data collection using a scripted input (typically a python script responsible for the collection).</P> <P>Once ASCII data is indexed via Splunk we can apply "late binding knowldege" (eventtypes/tags, props/transforms) at search time. The LEEF specification should detail the format in which events are written including date/time format, delimiters, etc. We should be able to map these details into search time properties relatively easily.</P> <P>So in short I would have to say Yes Splunk does.</P> Fri, 15 Apr 2011 20:15:22 GMT hazekamp 2011-04-15T20:15:22Z https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77149#M15785 <P>Does it support LEEF, Log Event Enhanced Format?</P> Fri, 08 Apr 2011 03:30:25 GMT https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77149#M15785 the_wolverine 2011-04-08T03:30:25Z https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77150#M15786 <P>I couldn't find a lot of details related to LEEF, Log Event Enhanced Format. I can speak to this question in a more general sense. With respect to getting data in, if LEEF is truly a format and information is still collected via log file or network input (syslog) then collection can be done with Splunk with little to no effort. If LEEF specifies proprietary methods for data collection (i.e. OPSEC) then Splunk can still satisfy data collection using a scripted input (typically a python script responsible for the collection).</P> <P>Once ASCII data is indexed via Splunk we can apply "late binding knowldege" (eventtypes/tags, props/transforms) at search time. The LEEF specification should detail the format in which events are written including date/time format, delimiters, etc. We should be able to map these details into search time properties relatively easily.</P> <P>So in short I would have to say Yes Splunk does.</P> Fri, 15 Apr 2011 20:15:22 GMT https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77150#M15786 hazekamp 2011-04-15T20:15:22Z https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77151#M15787 <P>See <A href="https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html">https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html</A></P> Thu, 26 Jul 2018 09:16:15 GMT https://community.splunk.com/t5/Getting-Data-In/Does-Splunk-support-LEEF-formatted-events/m-p/77151#M15787 Rob_van_Hoboken 2018-07-26T09:16:15Z