All Apps and Add-ons

CEF events Issue - cefKeys and cefCustom

riqbal47010
Path Finder

In the event:
cs3Label=HostName_Ext cs3=xx.xx.x.xx cs5Label=Deep src cs5=0 cs10Label=Deep_zone cs10=0 cn2Label=Score cn2=71
cn4Label=Deep_threat_type cn4=5 dmac=00:xx:xx:xx:xx
==============
props.conf

[cefevents]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-cefevents = cefHeaders,cefKeys,cefCustom

tranforms.conf

[cefHeaders]
REGEX = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)

[cefKeys]
REGEX = (?:_+)?(?<_KEY_1>[\w.:\[\]]+)=(?<_VAL_1>.*?(?=(?:\s[\w.:\[\]]+=|$)))
REPEAT_MATCH = True
CLEAN_KEYS = 1

[cefCustom]
REGEX = (\S+)=([^=]*)\s+(?:\1Label)=([^=]+)(?:(?:\s\w+=)|$)
FORMAT = $3::$2
KEEP_EMPTY_VALS = True

==================
cefHeaders are extracting as expected. but cefKeys and cefCustom is not able to extract the key value pairs.
please advise

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...