SPLUNK APP that preserves events in the same forma...

jtsapos · ‎11-06-2014

I got some info from an ArcSight engineer that Splunk recently brought out its own App that will preserve log data in the same format that it receives it and I am lead to believe that it does a lot of the processing to make sure that the data coming out of SPLUNK is in the same format that comes in from the different vendors.

It should make it simpler to do and easier to manage, but at the moment I haven't had the chance to look at this and I can't comment directly.

Maybe someone else has done this or knows more about this?

Thanks in advance.

jtsapos · ‎11-07-2014

Does the Splunk App for CEF convert the data to the same CEF format as ArcSight CEF?

You mention that the SPLUNK app for CEF provides a continuous export of the data from SPLUNK which sounds good but the question I have on this is "Do you have to map every event one by one first or is there some way to just get a full export of the SPLUNK data all at once?"

Can you shed some light on these problems for us?

Thanks in advance

LukeMurphey · ‎11-06-2014

You are likely referring to the Splunk App for CEF. It provides an user interface that helps set up a continuous export of data from Splunk to another device that accepts CEF (such as ArcSight).

SPLUNK APP that preserves events in the same format as it receives them for integration purposes with ArcSight

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!