Refine your search:

CEF (Common Event Format) Extraction Utilities

1

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

This add-on provides transforms for CEF headers and key/values extraction and 'cefkv' command for extractling custom strings (useful for dealing with Arcsight logs)

CEFUtils - Common Event Format Extraction Utilities

The common event format is an event exchange syntax. A sample message formatted as CEF looks as follows:
CEF:0|Splunk|Test|1.0|signature:2|Test event|5|src_addr=10.0.0.0 dest_addr=20.0.0.2 src_port=32122 dest_port=80
It consists of a common prefix that always has to be present, followed by a flexible key-value extension.

In order to parse CEF data correctly in Splunk, this add-on provides 2 transforms:

  • cefHeaders - use it to extract CEF headers
  • cefKeys - fixes multiword value extraction (by default Splunk would only extract key's values up to the first whitespace character)

This add-on also provides a cefkv command, that should be used for extracting custom keys/value pairs from CEF data - usefull if you are dealing with Arcsight events.

Example:
CEF:0|Splunk|Test|1.0|signature:2|Test event|5|cs1=custom string value cs1Label=custom label

cefkv will extract following key/value pair from the sample message above: custom_label="custom string value"

Versions and Release Notes

Version 1.2.1 (current version - updated Apr 14, 2011)
release notes:
Fixed parsing issue in cefkv
show older versions »
Version 1.2 (updated Apr 07, 2011)
release notes:
Allow key names with [NNN], e.g. "ad.SQL_TEXT[0]"
Version 1.1 (updated Mar 03, 2011)
release notes:
Regex now uses positive look-ahead assertion (?=)
Version 1.0.1 (updated Feb 16, 2011)
release notes:
Fixed problem with keys containig ":", e.g. ad.Attributes:Attribute_Name
Version 1.0.1_previously_1.0 (updated Feb 13, 2011)

posted 13 Feb '11, 08:51

IgorB's gravatar image

IgorB
2498
accept rate: 25%

new version 14 Apr '11, 10:19

Be the first one to review!

Did you find this app useful?

Preview toggle preview

Details

This app is not covered by any support agreements in place with Splunk. If you have questions about the installation or operation of this app, please contact the author.

Version 1.2.1
Last Updated: Apr 14, 2011
Download Add-on
Author: IgorB
Version: 1.2.1
Splunk compatibility: 4.3, 4.2, 4.1, 4.x
Price: Free
License: Creative Commons BY 3.0
Downloads: 324

Follow this app

Log In to enable email subscriptions

RSS:

Reviews

Reviews + Comments

Copyright © 2005-2012 Splunk, Inc. All rights reserved.