https://docs.splunk.com/Documentation/CIM/4.15.0/User/NetworkTraffic sample: | makeresults
| eval _raw="F5:WAF \"2020-04-08 15:36:21\",\"146632585856347577\",\"\",192.121.195.41,443,190.92.12.16,..."
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+)," recommend: index=yours sourcetype=yours
| rex "F5:WAF\s*\"(?<date>[^,]+)\",[^,]+,[^,]+,(?<src_ip>[^,]+),(?<src_port>[^,]+),(?<dest_ip>[^,]+)," If there is an add-on, you should use it. I tried to match the name to CIM in case.
... View more