Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

Download topic as PDF

About the Splunk App for CEF

The Splunk App for CEF enables you to aggregate and augment Splunk Enterprise events, transforming them into the Common Event Format (CEF), an open log management standard. The Splunk App for CEF is for users of applications such as ArcSight who want to take advantage of the capabilities of the Splunk platform, including raw data indexing, add-ons, and data models, to transform raw data before sending it to a CEF-compatible application.

The Splunk App for CEF reformats search results into the Common Event Format. You can then use the CEF output for processing in compatible applications such as ArcSight.

About common event format

Common Event Format (CEF) is a log management standard that was created to promote the interoperability of devices and apps that generate events or log files. The standard defines the syntax for individual log records. Each record consists of a header comprised of a timestamp and some keywords, and the record's contents, which are formatted as pipe-delimited key-value pairs.

How the app fits into your Splunk Enterprise deployment

The diagram illustrates how the Splunk App for CEF allows you to select data that is indexed in a Splunk Enterprise deployment, translate it into common event format, then send that data out to a syslog receiver for use in a CEF-compatible tool. CEF-overview-draft2.png


For a detailed explanation of how the app works, see How the Splunk App for CEF works.

To get started, see Installation and configuration overview for the Splunk App for CEF.

Last modified on 09 September, 2019
  NEXT
Support and resources for the Splunk App for CEF

This documentation applies to the following versions of Splunk® App for CEF: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters