All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with cef headers not being extracted

chrisjtodd
New Member
‎11-22-2018 06:37 AM

I installed version 1.6.0 of the app (fresh install, not upgrade) on Splunk Enterprise 7,1. It's a distributed environment and the app has been installed on both the indexers and search head. Data is showing in most of the app's dashboards as expected, after updating the searches with index=. However, any dashboards looking for cef headers are not returning results. For example, the Integrity Monitoring Activity dashboard provides no results with the following search:

search (index=deep_security sourcetype=deepsecurity-integrity_monitoring) | top limit=5 cef_rulename | rename cef_rulename as "Event Name", count as "Event Count", percent as "Percent of Total"

I do get results if I search just (index=deep_security sourcetype=deepsecurity-integrity_monitoring), but cef_rulename is not listed as a field in the search results. There are no cef_* fields listed. I expect [deepsecurity-cefheaders] section of the app's transforms.conf is supposed to extract those cef headers as fields, but I'm not sure. Is there something I'm missing? Or any suggestion on how to fix this?

Thanks,
Chris

0 Karma
Reply

chrisjtodd
New Member
‎11-27-2018 05:57 AM

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma
Reply

FrankVl
Ultra Champion
‎11-22-2018 11:08 PM

What does your raw data look like (and have you already taken a look at whether or not that aligns with what the extraction config expects)?

0 Karma
Reply

chrisjtodd
New Member
‎11-26-2018 11:58 AM

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma
Reply

FrankVl
Ultra Champion
‎11-26-2018 01:38 PM

Good to see you got it fixed. Please change your comment to an answer and accept it, so people can see this question was resolved 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...