I have a data feed with CEF format. Splunk picks up the key value pairs except the value with the whitespaces, for instance, "subject=my testing" from the sample log below, Splunk only extracts "my" from "subject". I can create a custom regex, such as "src=(?P[^\s]+)\sdst=(?P[^\s]+)\sspt=(?P[^\s]+)\ssubject=(?P.+)".
Sep 19 08:26:10 host CEF:0|ESM|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232 subject=my testing
Is there an easy way to fix this issue without creating a custom regex? Thanks.
↧