All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to add additional CEF fields for output to Arcsight?

bradp1234
Path Finder
‎12-18-2014 09:25 AM

I am attempting to map Microsoft TMG logs to CEF with the Splunk app for CEF and I am not able to map the requestURL field. It is not an option in the dropdown box. How can I add this field? Is it a text file within the app?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

matthieu_araman
Communicator
‎04-23-2015 01:45 AM

Hello,

I add the same pb as you.
There are missing cef fields in the choices proposed by the app.

I found the following solution :
to add a custom cef field, open up cef_inventory.csv file in the splunk_app_cef/lookups directory
first line describe the line format (cef_key,splunk_key,full_name,friendly_name,data_type,length,meaning,location,cef_value_type,required_related_field,required_field)

you can test by duplicating a line and modifying it.
first columm is your cef field name
second one is the splunk name (it looks like the app will try to match if the name in the data model contains this splunk name)
after editing the file, just reloading the editing url should be enough to make it appears

there are also comments associated to the fileds in the file which are useful.(they don't seem to appear in the web form)

hope that helps

View solution in original post

Reply
Solved! Jump to solution
Solution

matthieu_araman
Communicator
‎04-23-2015 01:45 AM

Hello,

I add the same pb as you.
There are missing cef fields in the choices proposed by the app.

I found the following solution :
to add a custom cef field, open up cef_inventory.csv file in the splunk_app_cef/lookups directory
first line describe the line format (cef_key,splunk_key,full_name,friendly_name,data_type,length,meaning,location,cef_value_type,required_related_field,required_field)

you can test by duplicating a line and modifying it.
first columm is your cef field name
second one is the splunk name (it looks like the app will try to match if the name in the data model contains this splunk name)
after editing the file, just reloading the editing url should be enough to make it appears

there are also comments associated to the fileds in the file which are useful.(they don't seem to appear in the web form)

hope that helps

Reply
Solved! Jump to solution

sbrant_splunk
Splunk Employee
Splunk Employee
‎02-02-2015 06:21 PM

The Splunk app for CEF relies on data models to pull data from, so what you're seeing in the dropdowns are the fields that exist in data models currently defined on your Splunk instance. If the data models that you have do not contain the desired fields, you can always create a new data model that does.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
li.common.scroll-to.top