All Apps and Add-ons

Issue with cef headers not being extracted

chrisjtodd
New Member

I installed version 1.6.0 of the app (fresh install, not upgrade) on Splunk Enterprise 7,1. It's a distributed environment and the app has been installed on both the indexers and search head. Data is showing in most of the app's dashboards as expected, after updating the searches with index=. However, any dashboards looking for cef headers are not returning results. For example, the Integrity Monitoring Activity dashboard provides no results with the following search:

search (index=deep_security sourcetype=deepsecurity-integrity_monitoring) | top limit=5 cef_rulename | rename cef_rulename as "Event Name", count as "Event Count", percent as "Percent of Total"

I do get results if I search just (index=deep_security sourcetype=deepsecurity-integrity_monitoring), but cef_rulename is not listed as a field in the search results. There are no cef_* fields listed. I expect [deepsecurity-cefheaders] section of the app's transforms.conf is supposed to extract those cef headers as fields, but I'm not sure. Is there something I'm missing? Or any suggestion on how to fix this?

Thanks,
Chris

0 Karma

chrisjtodd
New Member

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma

FrankVl
Ultra Champion

What does your raw data look like (and have you already taken a look at whether or not that aligns with what the extraction config expects)?

0 Karma

chrisjtodd
New Member

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma

FrankVl
Ultra Champion

Good to see you got it fixed. Please change your comment to an answer and accept it, so people can see this question was resolved 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...