Add extractions

bshuler_splunk · ‎08-23-2016

I would like for you to add these extractions to your app. The function as your cefkv command does, but without the need for the command:

I believe you already have the extractions for EXTRACT-cef-0 and EXTRACT-cef-3, but I would like to see the others added.

KV_MODE = None
ANNOTATE_PUNCT = false

# This extracts the CEF header
EXTRACT-cef-0 = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)
# This extracts all values where the Label is before the value. Example cs1Label=FirstName cs1=John
EXTRACT-cef-1 = (?:([\d\w]+)Label=(?<_KEY_1>\S+))(?=.*\1=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=))
# This extracts all values where the Label is after the value. cs1=John Example cs1Label=FirstName
EXTRACT-cef-2 = (?:([\w\d]+)=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=)(?=.*\1Label=(?<_KEY_1>\S+)))
# This extracts all key=value of this field
EXTRACT-cef-3 = (?<_KEY_1>[^\s\|]+)=(?<_VAL_1>[^=]+)(?=\s+\w+=|$)
# This extracts key:value from the msg field
EXTRACT-cef-4 = (?<_KEY_1>\S+):(?<_VAL_1>\S+) IN msg

bshuler_splunk · ‎08-23-2016

I added my changes here: https://github.com/bshuler/TA-cefutils

I'd love to fold these into your app if it meets with your approval.

Add extractions

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Add extractions

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+