- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Issue with cef headers not being extracted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with cef headers not being extracted
I installed version 1.6.0 of the app (fresh install, not upgrade) on Splunk Enterprise 7,1. It's a distributed environment and the app has been installed on both the indexers and search head. Data is showing in most of the app's dashboards as expected, after updating the searches with index=. However, any dashboards looking for cef headers are not returning results. For example, the Integrity Monitoring Activity dashboard provides no results with the following search:
search (index=deep_security sourcetype=deepsecurity-integrity_monitoring) | top limit=5 cef_rulename | rename cef_rulename as "Event Name", count as "Event Count", percent as "Percent of Total"
I do get results if I search just (index=deep_security sourcetype=deepsecurity-integrity_monitoring), but cef_rulename is not listed as a field in the search results. There are no cef_* fields listed. I expect [deepsecurity-cefheaders] section of the app's transforms.conf is supposed to extract those cef headers as fields, but I'm not sure. Is there something I'm missing? Or any suggestion on how to fix this?
Thanks,
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your raw data look like (and have you already taken a look at whether or not that aligns with what the extraction config expects)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to see you got it fixed. Please change your comment to an answer and accept it, so people can see this question was resolved 🙂
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
