All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?

gordo32
Communicator
‎02-17-2018 03:26 PM

I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and just become NULL. Event names without a space are fine.

Anyone know how to fix this? I know the relevant props. conf entries are

EXTRACT-CEF0 = ^(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?[^\|]+)\|(?P\d+)
EXTRACT-CEF_Version,CEF_Vendor,CEF_Product,CEF_DeviceVersion,CEF_SignatureID,CEF_Name,CEF_Severity = ^(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?[^\|]+)\s+\|\s+(?P\d+)

However, I don't understand why it wouldn't correctly pick up event names with spaces since [^|]+ means one or more characters not match caret or pipe character.

Anyone have ideas or already resolved this?

0 Karma
Reply

aamer86
Path Finder
‎03-01-2018 07:47 AM

Hi gordo

Let me know if you still have problem with Imperva Add-On

We implemented it with our Splunk and it is working perfectly

0 Karma
Reply

Damir123
New Member
‎04-28-2025 11:34 PM

Hello, aamer, could you please share your experience? Our logs are being parsed wrong atm, could you lend me a hand?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...