All Apps and Add-ons

Why are events in the Splunk Add-on for CyberArk not being extracted?

Path Finder

Why are events in the Splunk Add-on for CyberArk not being extracted?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberarkepvcefcyberarkptacefextractfield0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cefcefVersion::$1 cefvendor::$2 cefproduct::$3 cefversion::$4 cefsignature::$5 cefname::$6 cef_severity::$7

View solution in original post

Path Finder

My fields are still not being extracted!

I replaced the original text with the Answers text:

[cyberarkepvcefcyberarkptacefextractfield0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cefcefVersion::$1 cefvendor::$2 cefproduct::$3 cefversion::$4 cefsignature::$5 cefname::$6 cef_severity::$7

in:

/opt/splunk/etc/apps/SplunkTAcyberark/default/transforms.conf

Is there something I'm missing here? any help is greatly appreciated.

0 Karma

Splunk Employee
Splunk Employee

Splunk Add-on for CyberArk is missing a space in a REGEX causing events not to be extracted. Please adjust the TA into:
[cyberarkepvcefcyberarkptacefextractfield0]
REGEX = CEF:\s?(\d+)|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|((?:\||[^|]))|[^\s|]+=.*
FORMAT = cefcefVersion::$1 cefvendor::$2 cefproduct::$3 cefversion::$4 cefsignature::$5 cefname::$6 cef_severity::$7

View solution in original post

Splunk Employee
Splunk Employee

thanks, there wasn't a way to make you also the answerer, stefan. in the future, please try and post as questions and answers. 🙂

0 Karma

New Member

Hello,

should i change the regex on every node of a distributed installation? Could you please change this in the Addon and release a new version? Would be really usefully.

regards
Andreas

0 Karma

Path Finder

Hello Andreas,

You cant put this on your SH, that will do.

regards
Stefan

0 Karma