Splunk Addon for CEF is not adding header information to CEF Output
As part of Splunk integration, we are receiving data from Splunk indexers through Splunk addon for CEF but we observed that the output doesnot have the base alert template components like Product, version information. We checked the configuration in Splunk side and it is configured properly.
Any solution to get correct product and version information from Splunk,
10.32.xx.xxx May 29 10:16:13 BB-BOU-DC02 CEF:0|x|z|unknown|4710|The domain controller attempted to validate the credentials for an account|5|dhost=BB-BOU-DC02 shost=BOU-DC-AWG1 act=failure app=win:unknown duser=203000006
Something I am expecting like below information but which is not generating from Splunk Addon.
- alert template components
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
- splunk addon
Any suggestion on below question would much appreciated.
If we don't receive the header information in Splunk CEF Output, is there any possibility to accept the incoming CEF file and add the missing information through some scripting (Python).