cloudflare · pedrosousa · Dec 16, 2024 · Nov 11, 2024 · pedrosousa · Dec 16, 2024
@@ -6,12 +6,11 @@ sidebar:
 head:
   - tag: title
     content: Override expressions for HTTP DDoS Attack Protection
-
 ---
 
 :::note
 
-Only available to Enterprise customers with the Advanced DDoS Protection subscription. 
+Only available to Enterprise customers with the Advanced DDoS Protection subscription.
 :::
 
 Set an override expression for the HTTP DDoS Attack Protection managed ruleset to define a specific scope for [sensitivity level](/ddos-protection/managed-rulesets/http/override-parameters/#sensitivity-level) or [action](/ddos-protection/managed-rulesets/http/override-parameters/#action) adjustments.
@@ -36,11 +35,11 @@ You can use the following fields in override expressions:
 - `http.request.cookies`
 - `http.user_agent`
 - `http.x_forwarded_for`
-- `ip.geoip.asnum`
-- `ip.geoip.continent`
-- `ip.geoip.country`
-- `ip.geoip.is_in_european_union`
 - `ip.src`
+- `ip.src.asnum`
+- `ip.src.continent`
+- `ip.src.country`
+- `ip.src.is_in_european_union`
 - `ssl`
 - `cf.tls_client_auth.cert_verified`
 

@@ -6,10 +6,9 @@ sidebar:
 head:
   - tag: title
     content: Enable Logpush to Splunk
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare dashboard or via API.
 
@@ -20,25 +19,27 @@ Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare d
 5. In **Select a destination**, choose **Splunk**.
 
 6. Enter or select the following destination information:
-   * **Splunk raw HTTP Event Collector URL**
-   * **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
-   * **Auth Token**
-   * **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
-   * **Use insecure skip verify option** (not recommended).
+   - **Splunk raw HTTP Event Collector URL**
+   - **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
+   - **Auth Token**
+   - **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
+   - **Use insecure skip verify option** (not recommended).
 
 When you are done entering the destination details, select **Continue**.
 
 7. Select the dataset to push to the storage service.
 
 8. In the next step, you need to configure your logpush job:
-   * Enter the **Job name**.
-   * Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
-   * In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
+
+   - Enter the **Job name**.
+   - Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
+   - In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
 
 9. In **Advanced Options**, you can:
-   * Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
-   * Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
-   * Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
+
+   - Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
+   - Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
+   - Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
 
 10. Select **Submit** once you are done configuring your logpush job.
 
@@ -49,12 +50,8 @@ To set up a Splunk Logpush job:
 1. Create a job with the appropriate endpoint URL and authentication parameters.
 2. Enable the job to begin pushing logs.
 
-:::note[Note]
-
-
+:::note
 Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership challenge when configuring Logpush to Splunk.
-
-
 :::
 
 <Render file="enable-read-permissions" />
@@ -63,34 +60,33 @@ Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership
 
 To create a job, make a `POST` request to the Logpush jobs endpoint with the following fields:
 
-* **name** (optional) - Use your domain name as the job name.
-* **destination\_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
-
-  * **\<SPLUNK\_ENDPOINT\_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
-    * Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
-    * Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
-    * Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
-    * You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
-  * **\<SPLUNK\_CHANNEL\_ID>**: A unique channel ID. This is a random GUID that you can generate by:
-    * Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
-    * Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
-  * **\<INSECURE\_SKIP\_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
-
-:::note[Note]
-
-Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information. 
+- **name** (optional) - Use your domain name as the job name.
+- **destination_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
+
+  - **\<SPLUNK_ENDPOINT_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
+    - Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
+    - Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
+    - Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
+    - You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
+  - **\<SPLUNK_CHANNEL_ID>**: A unique channel ID. This is a random GUID that you can generate by:
+    - Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
+    - Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
+  - **\<INSECURE_SKIP_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
+
+:::note
+Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
 :::
 
-* `<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
-* `<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
+- `<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
+- `<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
 
 ```bash
 "splunk://<SPLUNK_ENDPOINT_URL>?channel=<SPLUNK_CHANNEL_ID>&insecure-skip-verify=<INSECURE_SKIP_VERIFY>&sourcetype=<SOURCE_TYPE>&header_Authorization=<SPLUNK_AUTH_TOKEN>"
 ```
 
-* **dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
+- **dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
 
-* **output\_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
+- **output_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
 
 Example request using cURL:
 
@@ -185,8 +181,6 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
 2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`).
 3. Under **If incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
 
-
-
 | Field            | Operator   | Value                                                                 |
 | ---------------- | ---------- | --------------------------------------------------------------------- |
 | Request Method   | `equals`   | `POST`                                                                |
@@ -196,21 +190,18 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
 | AS Num           | `equals`   | `132892`                                                              |
 | User Agent       | `equals`   | `Go-http-client/2.0`                                                  |
 
-
-
 4. After inputting the values as shown in the table, you should have an Expression Preview with the values you added for your specific rule. The example below reflects the hostname `splunk.cf-analytics.com`.
 
 ```txt
-(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.geoip.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
+(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
 ```
 
-5. Under the **Then** > **Choose an action** dropdown, select *Skip*.
-6. Under **WAF components to skip**, select *All managed rules*.
+5. Under the **Then** > **Choose an action** dropdown, select _Skip_.
+6. Under **WAF components to skip**, select _All managed rules_.
 7. Select **Deploy**.
 
 The WAF should now ignore requests made to Splunk HEC by Cloudflare.
 
-:::note[Note]
-
-To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/). 
+:::note
+To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/).
 :::
@@ -18,7 +18,7 @@ To route requests from visitors in the European Union to a Google Cloud Storage
 5. _(Optional)_ Use the [Rewrite URL](/rules/transform/url-rewrite/) feature of [Transform Rules](/rules/transform/) to adjust the URL structure. For example, you can [create a URL rewrite](/rules/transform/url-rewrite/create-dashboard/) that changes `/eu` to `/<BUCKET_NAME>` to match the URI path-style URL structure.
 6. Click **Next** and enter a descriptive name like "Route EU visitors to GCP" in Cloud Connector name.
 7. Under **If**, select **Custom filter expression** and enter the following expression:
-   `(ip.geoip.is_in_european_union)`<br />
+   `(ip.src.is_in_european_union)`<br />
    This expression targets traffic from European Union users.
 8. Select **Deploy** to activate the rule.
 

@@ -22,7 +22,7 @@ To have a welcome page in two languages, create two rewrite URL rules with a sta
 Text in **Expression Editor**:
 
 ```txt
-http.request.uri.path == "/welcome.html" && ip.geoip.country == "GB"
+http.request.uri.path == "/welcome.html" && ip.src.country == "GB"
 ```
 
 Text after **Path** > **Rewrite to...** > _Static_:
@@ -40,7 +40,7 @@ Text after **Path** > **Rewrite to...** > _Static_:
 Text in **Expression Editor**:
 
 ```txt
-http.request.uri.path == "/welcome.html" && ip.geoip.country == "PT"
+http.request.uri.path == "/welcome.html" && ip.src.country == "PT"
 ```
 
 Text after **Path** > **Rewrite to...** > _Static_:

@@ -22,12 +22,12 @@ This example single redirect for zone `example.com` will redirect United Kingdom
 **When incoming requests match**
 
 Using the Expression Editor:<br/>
-`(ip.geoip.country eq "GB" or ip.geoip.country eq "FR") and http.request.uri.path eq "/"`
+`(ip.src.country eq "GB" or ip.src.country eq "FR") and http.request.uri.path eq "/"`
 
 **Then**
 
 - **Type:** _Dynamic_
-- **Expression:** `lower(concat("https://", ip.geoip.country, ".example.com"))`
+- **Expression:** `lower(concat("https://", ip.src.country, ".example.com"))`
 - **Status code:** _301_
 
 </Example>

@@ -38,13 +38,13 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets \
   "phase": "http_request_dynamic_redirect",
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
       "description": "Redirect GB and FR users in home page to localized site.",
       "action": "redirect",
       "action_parameters": {
         "from_value": {
           "target_url": {
-            "expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+            "expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
           },
           "status_code": 307,
           "preserve_query_string": true
@@ -68,13 +68,13 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets \
 			{
 				"id": "235e557b92fd4e5e8753ee665a9ddd75",
 				"version": "1",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
 				"description": "Redirect GB and FR users in home page to localized site.",
 				"action": "redirect",
 				"action_parameters": {
 					"from_value": {
 						"target_url": {
-							"expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+							"expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
 						},
 						"status_code": 307,
 						"preserve_query_string": true
@@ -107,13 +107,13 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
   "phase": "http_request_dynamic_redirect",
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
       "description": "Redirect GB and FR users in home page to localized site.",
       "action": "redirect",
       "action_parameters": {
         "from_value": {
           "target_url": {
-            "expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+            "expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
           },
           "status_code": 307,
           "preserve_query_string": true
@@ -155,13 +155,13 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
 				"action_parameters": {
 					"from_value": {
 						"target_url": {
-							"expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+							"expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
 						},
 						"status_code": 307,
 						"preserve_query_string": true
 					}
 				},
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
 				"description": "Redirect GB and FR users in home page to localized site.",
 				"last_updated": "2022-10-03T15:38:51.658387Z",
 				"ref": "235e557b92fd4e5e8753ee665a9ddd75",

@@ -32,7 +32,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{custom_rule
 --data '{
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
       "action": "challenge",
       "description": "challenge GB and FR or based on IP Reputation"
     },
@@ -57,7 +57,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{custom_rule
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score \u003e 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_REF_1>",
@@ -133,7 +133,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score \u003e 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_ID_1>",