Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Adding additional Fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding additional Fields?
Is there a way to add additional fields like File Owner or File Creation Date? Having difficulty finding the field names from DLP. Any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, you can add additional fields. You have to do it at the Symantec DLP itself in the "Message" variable on the Response.
Monitor/Prevent Incidents
$BLOCKED$ – Indication of whether or not the message was blocked by the Symantec Data Loss Prevention system (yes or no).
$INCIDENT_ID$ – The ID of the incident.
$INCIDENT_SNAPSHOT$ – The fully qualified URL to the Incident Snapshot page for the incident.
$MATCH_COUNT$ – The incident match count.
$POLICY_NAME$ – The name of the policy that was violated.
$RECIPIENTS$ – A comma-separated list of one or more message recipients.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$SENDER$ - The message sender.
$SEVERITY$ – The severity assigned to incident.
$SUBJECT$ - The subject of the message.
Discover Incidents
$FILE_NAME$ – The name of the file in which the incident was found.
$INCIDENT_ID$ – The ID of the incident.
$MATCH_COUNT$ – The incident match count.
$PARENT_PATH$ – The path to the parent directory of the file in which the incident was found.
$PATH$ – The full path to the file in which the incident was found.
$POLICY_NAME$ – The name of the policy that was violated.
$POLICY_RULES$ – A comma-separated list of one or more policy rules that were violated.
$QUARANTINE_PARENT_PATH$ - The path to the parent directory in which the file was quarantined.
$SCAN$ – The date of the scan that found the incident.
$SEVERITY$ – The severity assigned to incident.
$TARGET$ - The name of the target in which the incident was found.
Once you've updated the message contents on the DLP, they will start appearing in the Event within Splunk.
E.g. the example Message contents from the documentation has you add this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$
If you wanted to also include the URL link to the Incident, you'd just add it like this:
ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$, URL: $INCIDENT_SNAPSHOT$
-Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even I had the same question whether we can additional fields like url link of Incident snapshot, Violated Rule etc.
Can anyone help in this ..?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
