Splunk Add-on for Imperva SecureSphere WAF: Why do...

gordo32 · ‎02-17-2018

I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and just become NULL. Event names without a space are fine.

Anyone know how to fix this? I know the relevant props. conf entries are

EXTRACT-CEF0 = ^(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?[^\|]+)\|(?P\d+)
EXTRACT-CEF_Version,CEF_Vendor,CEF_Product,CEF_DeviceVersion,CEF_SignatureID,CEF_Name,CEF_Severity = ^(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?[^\|]+)\s+\|\s+(?P\d+)

However, I don't understand why it wouldn't correctly pick up event names with spaces since [^|]+ means one or more characters not match caret or pipe character.

Anyone have ideas or already resolved this?

aamer86 · ‎03-01-2018

Hi gordo

Let me know if you still have problem with Imperva Add-On

We implemented it with our Splunk and it is working perfectly

Damir123 · ‎04-28-2025

Hello, aamer, could you please share your experience? Our logs are being parsed wrong atm, could you lend me a hand?

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation