All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are events in the Splunk Add-on for CyberArk not being extracted?

stefan1988
Path Finder
‎05-27-2016 06:54 AM

Why are events in the Splunk Add-on for CyberArk not being extracted?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎05-27-2016 07:15 AM

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

View solution in original post

Reply
Solved! Jump to solution

ChadLangUAB
Path Finder
‎07-03-2019 12:38 PM

My fields are still not being extracted!

I replaced the original text with the Answers text:

[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

in:

/opt/splunk/etc/apps/Splunk_TA_cyberark/default/transforms.conf

Is there something I'm missing here? any help is greatly appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎05-27-2016 07:15 AM

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberark_epv_cef_cyberark_pta_cef_extract_field_0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cef_cefVersion::$1 cef_vendor::$2 cef_product::$3 cef_version::$4 cef_signature::$5 cef_name::$6 cef_severity::$7

Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎05-27-2016 07:19 AM

thanks, there wasn't a way to make you also the answerer, stefan. in the future, please try and post as questions and answers. 🙂

0 Karma
Reply
Solved! Jump to solution

asartori
New Member
‎08-22-2016 01:57 AM

Hello,

should i change the regex on every node of a distributed installation? Could you please change this in the Addon and release a new version? Would be really usefully.

regards
Andreas

0 Karma
Reply
Solved! Jump to solution

stefan1988
Path Finder
‎11-04-2016 05:51 AM

Hello Andreas,

You cant put this on your SH, that will do.

regards
Stefan

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...