Splunk Enterprise Security

CEF parsing is not working

riqbal47010
Path Finder

we have one search head and one with Enterprise Security.

we have one index which named index=fireeye and logs are coming in CEF format.

on search head all the logs are being properly parsing but on ES, the logs are not being parsing.

0 Karma

ragedsparrow
Contributor

This usually means that your configurations are not consistent across your search heads. Typically you would do most of your extractions at the indexing tier, but it appears that you are doing them at the Search layer.

You can try this running this on both Search Heads:

$SPLUNK_HOME$/bin/splunk btool props list <sourcetype>

$SPLUNK_HOME$ is where Splunk is installed (usually /opt/splunk on Linux). See if the output is the same on both search heads.

0 Karma

riqbal47010
Path Finder

I just removed the Fireeye Add-on from ES. and interesting all fields are being properly parsed as supposed to be. the logs are in CEF format.
can anyone explain what happened.

0 Karma

ragedsparrow
Contributor

My best guess is a source/sourcetype override in the Fireye Add-on. You can use the btool command to do troubleshooting on your sourcetype and see what parsing is being applied to them.

0 Karma
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...