Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

This documentation does not apply to the most recent version of CEFapp. Click here for the latest version.
Download topic as PDF

Use the Splunk App for CEF

To use the Splunk App for CEF, from Splunk Home, click Apps, and then click Splunk App for CEF.

The Splunk App for CEF ships with a built-in example search, which is disabled by default. You can use the example or create your own from scratch. To get started, click the New button or click the name of the example search.

The typical process for using the Splunk App for CEF is as follows:

  1. Select data
  2. Map fields
  3. Create static fields (optional)
  4. Define outputs
  5. Save the search

Select data

On the Select data page, choose a data model and data model object from which to retrieve the data.

Map fields

The Splunk App for CEF first looks at the data model type and identifies any mappings of data model attributes to CEF fields that it can figure out automatically.

Not all data models contain attributes that correspond well to CEF fields. Therefore, there may be some missing fields listed on the Field Mappings page. You need to map the missing fields to data model attributes.

Cef map fields.png

For each missing CEF field, choose a data model attribute for it to map to:

  1. Choose a field to map from the list.
  2. Find the data model attribute listed in the right column that best fits the CEF field.
  3. In the same row as the data model attribute you've chosen, click the pop-up menu in the left column, and choose the CEF field to which you want the data model attribute to map.

Note: The Splunk App for CEF does not do any translation of non-UTF-8-encoded characters. Non-UTF-8 characters may result in improperly formatted CEF output. This includes non-UTF-8 characters in any field mappings plus pipe (|) characters in field mappings targeted at the CEF header, backslashes (\) in field mappings targeted at the CEF prefix, and equal signs (=) targeted at the CEF record's contents. A workaround for this issue is to build the handling of these characters into your search.

Create static fields (optional)

You have the option to create new static fields. You can choose to populate a CEF field with a static value that may not be a data model attribute that currently exists.

To add a static field:

  1. Click Add new static field.
  2. Choose a CEF output field from the pop-up menu.
  3. Enter a value in the Field Value field.

When the data is translated to CEF, for every event the given field will be set to the value you entered.

Define outputs

In the Define outputs window, you specify where you want to send the data that has been converted to CEF.

To create a new output group:

  1. Click Create new output group.
  2. In the New Output Group window, enter a name for the output group, and then list the syslog receivers that will be receiving the CEF data, including the port number, separated by commas. Be sure to press enter or comma after entering a single host to prevent validation failure.
  3. After you've created an output group, choose the output group you want, and then click Next.
Note: Only TCP output is supported. UDP output is not supported.

Save the search

In the Save search window, you enter a description for the search that defines what is translated to CEF.

  1. In the description field, enter the description. Under the description field are two links:

    • Show search: Shows the search in Search Processing Language (SPL), and indicates whether your search parses.
    • Preview CEF events: Previews the events in CEF.
  2. Click Save. The search is enabled automatically.
Last modified on 02 November, 2016
PREVIOUS
Install and Configure Splunk App for CEF
 

This documentation applies to the following versions of Splunk® App for CEF: 1.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters