SafeLine WAF — Splunk App (open source)

If you're running Chaitin SafeLine WAF and shipping logs to Splunk, I built a complete app that turns the raw syslog into something usable.

What's included:

• Sourcetype safeline:waf with auto-extraction of ~70 JSON fields per event
• CIM mapping (Web / Network_Traffic / IDS / Alerts)
• HTTP request & response header parsing
• Safe regex — handles multi-KB events without hanging
  10 dashboards:
  Overview · Real-Time Monitor · Site Compare · Site Detail · Attacks · IP Reputation & Hunt · Bot & JA4 Analysis · Traffic (latency p50–p99) · Geo · Compliance & Audit

5 prebuilt alerts (disabled by default):
critical attack · high-volume attacker · multi-site attacker · mitigation drop · traffic spike

Workflow actions: right-click any IP / site / rule for drill-down dashboards. Optional OSINT links (VirusTotal / AbuseIPDB / Shodan).
Install:

1. Download safeline_TA-2.0.0.tar.gz from the release
2. Splunk Web → Apps → Manage Apps → Install app from file
3. Restart Splunk
4. Configure your syslog input (UDP/TCP/file examples included)
   Repo: https://github.com/htayanloo/SafelineSplunkApp

If it was useful to you, please give it a star. Thank you.

Feedback, issues and PRs welcome. If you want a specific dashboard or alert that fits your workflow, drop a comment and I'll build it.