Use the Splunk App for CEF
To use the Splunk App for CEF, from Splunk Home, click Apps, and then click Splunk App for CEF.
The Splunk App for CEF ships with a built-in example search, which is disabled by default. You can use the example or create your own from scratch. To get started, click the New button or click the name of the example search.
The typical process for using the Splunk App for CEF is as follows:
- Select data
- Map fields
- Create static fields (optional)
- Define outputs
- Save the search
On the Select data page, choose a data model and data model object from which to retrieve the data.
The Splunk App for CEF first looks at the data model type and identifies any mappings of data model attributes to CEF fields that it can figure out automatically.
Not all data models contain attributes that correspond well to CEF fields. Therefore, there may be some missing fields listed on the Field Mappings page. You need to map the missing fields to data model attributes.
For each missing CEF field, choose a data model attribute for it to map to:
- Choose a field to map from the list.
- Find the data model attribute listed in the right column that best fits the CEF field.
- In the same row as the data model attribute you've chosen, click the pop-up menu in the left column, and choose the CEF field to which you want the data model attribute to map.
Note: The Splunk App for CEF does not do any translation of non-UTF-8-encoded characters. Non-UTF-8 characters may result in improperly formatted CEF output. This includes non-UTF-8 characters in any field mappings plus pipe (|) characters in field mappings targeted at the CEF header, backslashes (\) in field mappings targeted at the CEF prefix, and equal signs (=) targeted at the CEF record's contents. A workaround for this issue is to build the handling of these characters into your search.
Create static fields (optional)
You have the option to create new static fields. You can choose to populate a CEF field with a static value that may not be a data model attribute that currently exists.
To add a static field:
- Click Add new static field.
- Choose a CEF output field from the pop-up menu.
- Enter a value in the Field Value field.
When the data is translated to CEF, for every event the given field will be set to the value you entered.
In the Define outputs window, you specify where you want to send the data that has been converted to CEF.
To create a new output group:
- Click Create new output group.
- In the New Output Group window, enter a name for the output group, and then list the syslog receivers that will be receiving the CEF data, including the port number, separated by commas. Be sure to press enter or comma after entering a single host to prevent validation failure.
- After you've created an output group, choose the output group you want, and then click Next.
- Note: Only TCP output is supported. UDP output is not supported.
Save the search
In the Save search window, you enter a description for the search that defines what is translated to CEF.
In the description field, enter the description. Under the description field are two links:
- Show search: Shows the search in Search Processing Language (SPL), and indicates whether your search parses.
- Preview CEF events: Previews the events in CEF.
- Click Save. The search is enabled automatically.
Install and Configure Splunk App for CEF
This documentation applies to the following versions of Splunk® App for CEF: 1.0.0