I got some info from an ArcSight engineer that Splunk recently brought out its own App that will preserve log data in the same format that it receives it and I am lead to believe that it does a lot of the processing to make sure that the data coming out of SPLUNK is in the same format that comes in from the different vendors.
It should make it simpler to do and easier to manage, but at the moment I haven't had the chance to look at this and I can't comment directly.
Maybe someone else has done this or knows more about this?
Does the Splunk App for CEF convert the data to the same CEF format as ArcSight CEF?
You mention that the SPLUNK app for CEF provides a continuous export of the data from SPLUNK which sounds good but the question I have on this is "Do you have to map every event one by one first or is there some way to just get a full export of the SPLUNK data all at once?"