All Apps and Add-ons

Add extractions

bshuler_splunk
Splunk Employee
Splunk Employee

I would like for you to add these extractions to your app. The function as your cefkv command does, but without the need for the command:

I believe you already have the extractions for EXTRACT-cef-0 and EXTRACT-cef-3, but I would like to see the others added.

KV_MODE = None
ANNOTATE_PUNCT = false

# This extracts the CEF header
EXTRACT-cef-0 = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)
# This extracts all values where the Label is before the value. Example cs1Label=FirstName cs1=John
EXTRACT-cef-1 = (?:([\d\w]+)Label=(?<_KEY_1>\S+))(?=.*\1=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=))
# This extracts all values where the Label is after the value. cs1=John Example cs1Label=FirstName
EXTRACT-cef-2 = (?:([\w\d]+)=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=)(?=.*\1Label=(?<_KEY_1>\S+)))
# This extracts all key=value of this field
EXTRACT-cef-3 = (?<_KEY_1>[^\s\|]+)=(?<_VAL_1>[^=]+)(?=\s+\w+=|$)
# This extracts key:value from the msg field
EXTRACT-cef-4 = (?<_KEY_1>\S+):(?<_VAL_1>\S+) IN msg
0 Karma

bshuler_splunk
Splunk Employee
Splunk Employee

I added my changes here: https://github.com/bshuler/TA-cefutils

I'd love to fold these into your app if it meets with your approval.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...