Dear,

I'm getting CEF type logs, but Splunk is not parsing correctly.

I installed the App Splunk App for CEF, but it does not work. I also installed the CEF Extraction Add-on for Splunk app but it is not working either.

I tried parsing in the indexer by props.conf and transforms.conf, but it did not work:

props.conf
[host :: XXXXX]
EXTRACT-cef-message = CEF

transforms.conf
[CEF]
REGEX = \ d \ | (? [^ \ |] +) \ | (< [^ \ |] +) \ | (<< vendor_severity> [^ \ |] + (\ \ Ssquc \ srequestCookies \ = (\ S +) \, \ siPlanetDirectoryPro \, \ sJSESSIONID = (\ S +) \ srequest \ \ scs \ w \ s \ w \ s \ w \ s \ w \ s \ w \ w \ w \ w \ w \ w \ w \ w \ s] +) \ scs \ w + Label \ +) \ scs \ w + \ = ([\ w \ s] +) \ scs \ w + \ = ([\ w \ s] +) \ s
DEST_KEY = MetaData: Host

Splunk is doing the parse as follows:

aact
aamlbcookie
acat

cn1

acn1Label

cn5

acn5Label
acs1
acs1Label
acs2
acs2Label
acs3
acs3Label
acs4
acs4Label
acs5
acs5Label
acs6
acs6Label

date_hour

date_mday

date_minute

adate_month

date_second

adate_wday

date_year

date_zone

end

aeventtype
ahost
aindex
aiPlanetDirectoryPro
aJSESSIONID

linecount

amsg
aprimefaces_download
apunct
areason
arequest
arequestCookies
arequestMethod
asource
asourcetype
asplunk_server
asplunk_server_group
asrc
asuser

timeendpos

timestartpos

Can someone help me?