Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Does Splunk support LEEF formatted events?

the_wolverine
Champion
‎04-07-2011 08:30 PM

Does it support LEEF, Log Event Enhanced Format?

Reply

Rob_van_Hoboken
New Member
‎07-26-2018 02:16 AM

See https://answers.splunk.com/answers/507704/does-splunk-recognize-leef-formatted.html

0 Karma
Reply

hazekamp
Builder
‎04-15-2011 01:15 PM

I couldn't find a lot of details related to LEEF, Log Event Enhanced Format. I can speak to this question in a more general sense. With respect to getting data in, if LEEF is truly a format and information is still collected via log file or network input (syslog) then collection can be done with Splunk with little to no effort. If LEEF specifies proprietary methods for data collection (i.e. OPSEC) then Splunk can still satisfy data collection using a scripted input (typically a python script responsible for the collection).

Once ASCII data is indexed via Splunk we can apply "late binding knowldege" (eventtypes/tags, props/transforms) at search time. The LEEF specification should detail the format in which events are written including date/time format, delimiters, etc. We should be able to map these details into search time properties relatively easily.

So in short I would have to say Yes Splunk does.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...