All Apps and Add-ons

Why are events in the Splunk Add-on for CyberArk not being extracted?

stefan1988
Path Finder

Why are events in the Splunk Add-on for CyberArk not being extracted?

0 Karma
1 Solution

piebob
Splunk Employee
Splunk Employee

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

View solution in original post

ChadLangUAB
Path Finder

My fields are still not being extracted!

I replaced the original text with the Answers text:

[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

in:

/opt/splunk/etc/apps/Splunk_TA_cyberark/default/transforms.conf

Is there something I'm missing here? any help is greatly appreciated.

0 Karma

piebob
Splunk Employee
Splunk Employee

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

piebob
Splunk Employee
Splunk Employee

thanks, there wasn't a way to make you also the answerer, stefan. in the future, please try and post as questions and answers. 🙂

0 Karma

asartori
New Member

Hello,

should i change the regex on every node of a distributed installation? Could you please change this in the Addon and release a new version? Would be really usefully.

regards
Andreas

0 Karma

stefan1988
Path Finder

Hello Andreas,

You cant put this on your SH, that will do.

regards
Stefan

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...