Define CEF mappings and output groups with the Splunk App for CEF
Use the Splunk App for CEF to map data from the Splunk platform to CEF-compliant fields, configure the output destinations, and create the Splunk Add-on for CEF Output that manages the output configuration on your indexers.
Access the Splunk App for CEF on your search head, then click New CEF output.
- Select the data you want to output in common event format
- Map the data to CEF-compliant fields
- (optional) Create static fields
- Define the output groups to specify the destinations for your CEF data
- Validate and save the CEF mapping search
- Finish and export the Splunk Add-on for CEF Output
- Deploy the Splunk Add-on for CEF Output to indexers
Select the data that you want to output in common event format
On the Select Data step, choose a data model and data model dataset from which to retrieve the data.
Prerequisite: You must have a data model available that fits your use case. The data model and dataset that you select in this step serve as a filter for your data. Only data that meets the constraints of the data model and dataset are mapped to CEF fields and forwarded. You can create or clone a data model to make the filter more specific to your needs, adding additional search constraints to reduce the number of events that you forward.
- Select a Data Model from the Data Model drop-down menu. This menu lists all data models that this app can access on your search head, including all the data models in the Splunk Common Information Model, if you have that installed.
- If you do not see the data model that you want in the list, check the permissions of the data model to ensure it is set to be shared to all apps.
- If you want to create a new data model to represent the data that you want to output in common event format, see Design data models.
Map the data to CEF-compliant fields
On the Map Fields step, identify the corresponding CEF fields for each data model attribute to include in your output.
- For each CEF field that you want to pass to your destination, select the data model attribute from the drop-down that best matches that field.
- If you are working with a CIM data model, review the pre-populated mappings that the Splunk App for CEF supplies for the data model attributes for which CEF fields are known.
- You can override any of these mappings selecting an alternate CEF field from the drop-down.
- You can also remove any of these fields completely by clicking the x icon to set the mapping to blank.
Create static fields
On the Create Static Fields step, you can optionally define static values for additional CEF output fields.
Use this option to populate a required CEF field with a static value when an appropriate data model attribute does not exist. You can add as many static fields as you want. In the CEF output, the given field is set to the value you entered in every event.
- If any fields required by the CEF standard are not mapped in the Map Fields step, enter a Field Value for each one.
- To add a static field, click Add static field.
- Enter a Field Value for the static field and select a corresponding Output Field.
- When you are finished creating static fields, click Next to continue.
Define the output groups to specify the destinations for your CEF data
In the Define Output Groups step, specify where you want to send the data that has been converted to CEF.
For Splunk Enterprise, only TCP output is supported. UDP output is not supported.
- Click Create output group.
- In the New Output Group window, enter a name for the output group.
- In the Hosts field, list the syslog receivers to which the Splunk App for CEF should send data, separated by commas. Include the port number for each receiver.
- Checking the check box for Deploying via Indexer Cluster Master does not deploy it to the cluster master for you, but formats it properly. There is no impact if search heads are clustered, this only matters if indexers are clustered.
- (Optional for Splunk Enterprise) In the Certificate Configuration section, use one of the following options to upload the SSL certificate file for the hosts:
- Select a previously uploaded certificate from the drop-down menu.
- Click Choose File to navigate to the certificate and select it.
- Drag and drop a certificate to the window.
- (Optional for Splunk Enterprise) In the Certificate Password field, enter the password for the encrypted private key for your system of record. This is the password that you set during the process of creation.
- (Optional for Splunk Enterprise) The SSL Common Name to Check and the Alternative SSL Common Name fields are used if you have a wildcard certificate and you want an extra layer of security. For example, if the certificate is
*.cert.pembut you want to make sure that a specific system is returned. Alternately, you can use a wildcard certificate as-is without using these fields.
- Click Save.
- Select the radio button of the output group that you just created, then click Next.
Validate and save the CEF mapping search
In the Save Search step, enter a name and description of what data is translated to CEF in this search.
- Examine the preview of the search that you have configured in the previous steps.
- (Optional) If you want to edit the search, click the < to go back to previous steps to alter your configurations.
- Click Preview CEF events to view the events that result from the search in CEF format.
- Verify that the search finds data in your data model and maps them correctly to CEF format.
- (Optional) If you see any problems with the results of the preview search, click the < to go back to previous steps to alter your configurations.
- If you are happy with the results of the search, enter a Search Name and an optional Search Description for the search.
- Check Use Indexed Real-time if you want to run this search in indexed real-time mode. Your selection here overrides your global settings for whether you want to use indexed real-time mode by default. Checking this box improves the performance of concurrent searches, but introduces some latency. See Indexed real-time search in the Splunk Enterprise Search Manual.
- When you are satisfied with the search and its settings, click Next.
The search runs immediately upon save, but the data is not sent to your output groups until the next step.
Finish and export the Splunk Add-on for CEF Output
On the Finish and Export step, you can export your output configuration in the form of the Splunk Add-on for CEF Output. This add-on instructs your indexers where to send the CEF data.
If you want to define additional output groups, you must perform this step again every time you change the output group definitions assigned for any of your CEF searches.
- When you are ready to send your destination information to your indexers, click Export outputs.
- Click Download add-on. The file will save with the filename format of
Upgrade an existing installation of the Splunk App for CEF
Deploy the Splunk Add-on for CEF Output to indexers
This documentation applies to the following versions of Splunk® App for CEF: 2.1.0