How to create a custom CEF index for CEF Syslog da...

grantsales · ‎02-24-2015

I'm looking for help on creating a custom CEF index.

I have CEF Syslog data sent into my Splunk instance and I'd like to index some of the tokened fields and simply parse the others.

I know how to do regex extractions for each field, but there has to be a better way to tell splunk there is a CEF header and following a header is the token field names and values.

I want these to be indexed prior to searching for performance.

I do not know if this will scale, but I want to try it.

Can anyone help?

curryRick · ‎11-09-2015

I know this is an 'older' question, but I am getting into the possibility that I too will be working with CEF data. II take it that what you refer to as the "tokened fields" that you mean the "cs#=" and the "cs#label=" fields that are in the "Extension" portion of the messages.

I have not seen anything that indicates there is a way for Splunk to auto-ingest/field extract CEF data. You will likely need to create a transforms to do that and the RegEx should be fairly straight forward for that.

More importantly, I am not sure you'd want to extract these fields at index time; the savings you'd get at search time with this is not likely to be worth the performance impact on index processing to do the extraction and indexing together. I suggest you keep to search time field extractions.

How to create a custom CEF index for CEF Syslog data and extract token field field names and values?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!