All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?

gordo32
Communicator
‎02-17-2018 03:26 PM

I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and just become NULL. Event names without a space are fine.

Anyone know how to fix this? I know the relevant props. conf entries are

EXTRACT-CEF0 = ^(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?[^\|]+)\|(?P\d+)
EXTRACT-CEF_Version,CEF_Vendor,CEF_Product,CEF_DeviceVersion,CEF_SignatureID,CEF_Name,CEF_Severity = ^(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?[^\|]+)\s+\|\s+(?P\d+)

However, I don't understand why it wouldn't correctly pick up event names with spaces since [^|]+ means one or more characters not match caret or pipe character.

Anyone have ideas or already resolved this?

0 Karma
Reply

aamer86
Path Finder
‎03-01-2018 07:47 AM

Hi gordo

Let me know if you still have problem with Imperva Add-On

We implemented it with our Splunk and it is working perfectly

0 Karma
Reply

Damir123
New Member
‎04-28-2025 11:34 PM

Hello, aamer, could you please share your experience? Our logs are being parsed wrong atm, could you lend me a hand?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...