All Apps and Add-ons
Highlighted

Issue with cef headers not being extracted

New Member

I installed version 1.6.0 of the app (fresh install, not upgrade) on Splunk Enterprise 7,1. It's a distributed environment and the app has been installed on both the indexers and search head. Data is showing in most of the app's dashboards as expected, after updating the searches with index=. However, any dashboards looking for cef headers are not returning results. For example, the Integrity Monitoring Activity dashboard provides no results with the following search:

search (index=deepsecurity sourcetype=deepsecurity-integritymonitoring) | top limit=5 cefrulename | rename cefrulename as "Event Name", count as "Event Count", percent as "Percent of Total"

I do get results if I search just (index=deepsecurity sourcetype=deepsecurity-integritymonitoring), but cefrulename is not listed as a field in the search results. There are no cef* fields listed. I expect [deepsecurity-cefheaders] section of the app's transforms.conf is supposed to extract those cef headers as fields, but I'm not sure. Is there something I'm missing? Or any suggestion on how to fix this?

Thanks,
Chris

0 Karma
Highlighted

Re: Issue with cef headers not being extracted

Ultra Champion

What does your raw data look like (and have you already taken a look at whether or not that aligns with what the extraction config expects)?

0 Karma
Highlighted

Re: Issue with cef headers not being extracted

New Member

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma
Highlighted

Re: Issue with cef headers not being extracted

Ultra Champion

Good to see you got it fixed. Please change your comment to an answer and accept it, so people can see this question was resolved 🙂

0 Karma
Highlighted

Re: Issue with cef headers not being extracted

New Member

I took a closer look and believe I figured it out. The raw data looks good and the other transforms were working correctly. I noticed there is a whitespace between the CEF: and what the cef_version header was looking for. The other entries in transforms.conf accounted for this whitespace, but deepsecurity-cefheaders did not. Added "(\s)?" right after CEF: and it now works. I opened an issue for this on GitHub.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.