automine/props.conf

## props.conf
[cef_sourcetype]
KV_MODE = none
EXTRACT-cef-message = \sCEF:\d\|(?<vendor>[^\|]+)\|(?<product>[^\|]+)\|(?<version>[^\|]+)\|(?<signature_id>[^\|]+)\|(?<signature>[^\|]+)\|(?<vendor_severity>[^\|]+)\|(?<cef_message>.*)
REPORT-cefLabelFirst = cefLabelFirst
REPORT-cefLabelSecond = cefLabelSecond
REPORT-builtInCefFields = builtInCefFields

## transforms.conf
[cefLabelFirst]
SOURCE_KEY = cef_message
REGEX = \bc(s|n)(\d+)(?:Label)?=(?<_KEY_1>[^=]+)(?=\s+\w+=).*?c\1\2=(?<_VAL_1>[^=]+)(?=\s+\w+=)
KEEP_EMPTY_VALS = True
MV_ADD = True

[cefLabelSecond]
SOURCE_KEY = cef_message
REGEX = \bc(s|n)(\d+)=(?<_VAL_1>[^=]+)(?=\s+\w+=).*?c\1\2(?:Label)?=(?<_KEY_1>[^=]+)(?=\s+\w+=)
KEEP_EMPTY_VALS = True
MV_ADD = True

[builtInCefFields]
SOURCE_KEY = cef_message
REGEX = \b(?<_KEY_1>(?!c[sn])\w+)=(?<_VAL_1>[^=]+)(?=(?:\s+\w+=|$))
KEEP_EMPTY_VALS = True
MV_ADD = true
	[cef_sourcetype]
	KV_MODE = none
	EXTRACT-cef-message = \sCEF:\d\\|(?<vendor>[^\\|]+)\\|(?<product>[^\\|]+)\\|(?<version>[^\\|]+)\\|(?<signature_id>[^\\|]+)\\|(?<signature>[^\\|]+)\\|(?<vendor_severity>[^\\|]+)\\|(?<cef_message>.*)
	REPORT-cefLabelFirst = cefLabelFirst
	REPORT-cefLabelSecond = cefLabelSecond
	REPORT-builtInCefFields = builtInCefFields
	[cefLabelFirst]
	SOURCE_KEY = cef_message
	REGEX = \bc(s\|n)(\d+)(?:Label)?=(?<_KEY_1>[^=]+)(?=\s+\w+=).*?c\1\2=(?<_VAL_1>[^=]+)(?=\s+\w+=)
	KEEP_EMPTY_VALS = True
	MV_ADD = True

	[cefLabelSecond]
	SOURCE_KEY = cef_message
	REGEX = \bc(s\|n)(\d+)=(?<_VAL_1>[^=]+)(?=\s+\w+=).*?c\1\2(?:Label)?=(?<_KEY_1>[^=]+)(?=\s+\w+=)
	KEEP_EMPTY_VALS = True
	MV_ADD = True

	[builtInCefFields]
	SOURCE_KEY = cef_message
	REGEX = \b(?<_KEY_1>(?!c[sn])\w+)=(?<_VAL_1>[^=]+)(?=(?:\s+\w+=\|$))
	KEEP_EMPTY_VALS = True
	MV_ADD = true