In the event:
cs3Label=HostName_Ext cs3=xx.xx.x.xx cs5Label=Deep src cs5=0 cs10Label=Deep_zone cs10=0 cn2Label=Score cn2=71
cn4Label=Deep_threat_type cn4=5 dmac=00:xx:xx:xx:xx
==============
props.conf
[cefevents]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-cefevents = cefHeaders,cefKeys,cefCustom
tranforms.conf
[cefHeaders]
REGEX = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)
[cefKeys]
REGEX = (?:_+)?(?<_KEY_1>[\w.:\[\]]+)=(?<_VAL_1>.*?(?=(?:\s[\w.:\[\]]+=|$)))
REPEAT_MATCH = True
CLEAN_KEYS = 1
[cefCustom]
REGEX = (\S+)=([^=]*)\s+(?:\1Label)=([^=]+)(?:(?:\s\w+=)|$)
FORMAT = $3::$2
KEEP_EMPTY_VALS = True
==================
cefHeaders are extracting as expected. but cefKeys and cefCustom is not able to extract the key value pairs.
please advise