All Apps and Add-ons

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?


I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and just become NULL. Event names without a space are fine.

Anyone know how to fix this? I know the relevant props. conf entries are

EXTRACT-CEF0 = ^(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?[^\|]+)\|(?P\d+)
EXTRACT-CEF_Version,CEF_Vendor,CEF_Product,CEF_DeviceVersion,CEF_SignatureID,CEF_Name,CEF_Severity = ^(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?[^\|]+)\s+\|\s+(?P\d+)

However, I don't understand why it wouldn't correctly pick up event names with spaces since [^|]+ means one or more characters not match caret or pipe character.

Anyone have ideas or already resolved this?

0 Karma

Path Finder

Hi gordo

Let me know if you still have problem with Imperva Add-On

We implemented it with our Splunk and it is working perfectly

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: CFP Site: CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...