About the Splunk App for CEF
The Splunk App for CEF enables you to aggregate and augment Splunk Enterprise events, transforming them into the Common Event Format (CEF), an open log management standard. The Splunk App for CEF is for users of applications such as ArcSight who want to take advantage of the capabilities of the Splunk platform, including raw data indexing, add-ons, and data models, to transform raw data before sending it to a CEF-compatible application.
The Splunk App for CEF reformats search results into the Common Event Format. You can then use the CEF output for processing in compatible applications such as ArcSight.
About common event format
Common Event Format (CEF) is a log management standard that was created to promote the interoperability of devices and apps that generate events or log files. The standard defines the syntax for individual log records. Each record consists of a header comprised of a timestamp and some keywords, and the record's contents, which are formatted as pipe-delimited key-value pairs.
How the app fits into your Splunk Enterprise deployment
The diagram illustrates how the Splunk App for CEF allows you to select data that is indexed in a Splunk Enterprise deployment, translate it into common event format, then send that data out to a syslog receiver for use in a CEF-compatible tool.
For a detailed explanation of how the app works, see How the Splunk App for CEF works.
To get started, see Installation and configuration overview for the Splunk App for CEF.
Support and resources for the Splunk App for CEF
This documentation applies to the following versions of Splunk® App for CEF: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0