All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Adding additional Fields?

zombag
New Member
‎12-16-2013 06:33 PM

Is there a way to add additional fields like File Owner or File Creation Date? Having difficulty finding the field names from DLP. Any help would be greatly appreciated.

0 Karma
Reply

pickerin
Path Finder
‎08-19-2015 03:16 AM

Yep, you can add additional fields. You have to do it at the Symantec DLP itself in the "Message" variable on the Response.

Monitor/Prevent Incidents
$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$ – The ID of the incident.
$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$ – The incident match count.
$POLICY_NAME$ – The name of the policy that was violated.
$RECIPIENTS$ – A comma-separated list of one or more message recipients.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.

Discover Incidents
$FILE_NAME$ – The name of the file in which the incident was found.
$INCIDENT_ID$ – The ID of the incident.
$MATCH_COUNT$ – The incident match count.
$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY_NAME$ – The name of the policy that was violated.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$ – The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.

Once you've updated the message contents on the DLP, they will start appearing in the Event within Splunk.

E.g. the example Message contents from the documentation has you add this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

If you wanted to also include the URL link to the Incident, you'd just add it like this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$, URL: $INCIDENT_SNAPSHOT$

-Rob

0 Karma
Reply

m_hashmi
New Member
‎03-24-2015 05:34 AM

Even I had the same question whether we can additional fields like url link of Incident snapshot, Violated Rule etc.

Can anyone help in this ..?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...