Splunk Search

CEF Field Parsing

riqbal47010
Path Finder

I am not seeing extracted field against below query.

index=fireeye | eval {flexString2Label} = flexString2

below are crossponding values in CEF format
flexString2Label = subjcect

flexString2 = "a test message"

Please advise that what I a missing

Labels (1)
Tags (2)
0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults 
| eval flexString2Label = "subject",flexString2 = "a test message" 
| eval {flexString2Label} = flexString2

this is OK.
maybe, flexString2Label OR flexString2 field does not extracted.

View solution in original post

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval flexString2Label = "subject",flexString2 = "a test message" 
| eval {flexString2Label} = flexString2

this is OK.
maybe, flexString2Label OR flexString2 field does not extracted.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...