According to the SPLUNK App for CEF documentation:
3) Use the guided search wizard included in the Splunk App for CEF to define what the output will look like in CEF by selecting a data model, mapping data model attributes to fields where necessary (a good amount of this work will be done automatically), creating any new static fields you need, and defining the name of the syslog receiver that will receive the data.
You mention that the SPLUNK app for CEF provides a continuous export of the data from SPLUNK which sounds great, but the question I have on this is "Do you have to map every event one by one first or is there some way to just get a full export of the SPLUNK data all at once?"
Thanks in advance.