Splunk Add-on for Imperva SecureSphere WAF: Why do...

gordo32 · ‎02-17-2018

I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and just become NULL. Event names without a space are fine.

Anyone know how to fix this? I know the relevant props. conf entries are

EXTRACT-CEF0 = ^(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?P[^\|]+)\|(?[^\|]+)\|(?P\d+)
EXTRACT-CEF_Version,CEF_Vendor,CEF_Product,CEF_DeviceVersion,CEF_SignatureID,CEF_Name,CEF_Severity = ^(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?P[^\|]+)\s+\|\s+(?[^\|]+)\s+\|\s+(?P\d+)

However, I don't understand why it wouldn't correctly pick up event names with spaces since [^|]+ means one or more characters not match caret or pipe character.

Anyone have ideas or already resolved this?

aamer86 · ‎03-01-2018

Hi gordo

Let me know if you still have problem with Imperva Add-On

We implemented it with our Splunk and it is working perfectly

Damir123

Hello, aamer, could you please share your experience? Our logs are being parsed wrong atm, could you lend me a hand?

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

Splunk Add-on for Imperva SecureSphere WAF: Why does the add-on not correctly parse event names with a space in them when parsing Incapsula log?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!