All Apps and Add-ons

Is there more detailed information about how the CEF field mapping works?

gvhees
Explorer

Is there more detailed information about how the CEF field mapping works?
I've tried the cef_field_map statement in the realtimeoutput.conf, but that doesn't work and the dragndrop in the gui also does not map any fields.

The only thing that seems to work is to use the eval statement in the search to create fields that match the original cef field names. Then the Real-Time Output app will output them.

Is there anyone who has some experience or who has a manual?

Cheers,
Ger

1 Solution

bkilroe
Engager

I managed to get it working by looking at the python scripts. You need to use cef_field_map rather than cef_override_map. I did a test using splunk's web_access.log see below

index=_internal source="*web_access.log" | eval cef_field_map="host:dvchost,source:fname,spent:cn1,useragent:cs1,user:duser,status:cn2,clientip:dvc,method:cs2,bytes:cn3"

I would upload screen shots, but the web site is not allowing me to as apparently I don't have sufficient karma 🙂

View solution in original post

mlulmer
Explorer

Ger,
Here is where you can find the (lastest) revision 20 of the "Implementing ArcSight CEF" document. Implementing ArcSight CEF.pdf
You may need to register with ArcSight to view.

Mark

0 Karma

bkilroe
Engager

I managed to get it working by looking at the python scripts. You need to use cef_field_map rather than cef_override_map. I did a test using splunk's web_access.log see below

index=_internal source="*web_access.log" | eval cef_field_map="host:dvchost,source:fname,spent:cn1,useragent:cs1,user:duser,status:cn2,clientip:dvc,method:cs2,bytes:cn3"

I would upload screen shots, but the web site is not allowing me to as apparently I don't have sufficient karma 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...