All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Has anyone seen the word 'null' in SEP logs rather than a delimiter?

wegscd
Contributor
‎06-27-2016 01:59 PM

Not a Splunk problem, but hopefully someone in the Splunk community has seen and solved it.

We're working on ingesting logs from Symantec Endpoint Manager. We intend to use the Splunk Add-on for Symantec Endpoint Protection, and per its recommendation, we intend to monitor a file on the SEP server.

I had the SEP admin grab a file, and it looks like this (this is in the actual file before indexing):

Time StampnullSite NamenullServer NamenullDomain NamenullAdmin NamenullEvent DescriptionnullObject Name
2016-03-31 14:17:17nullSite: Site ADCnullServer: ADC-SEP12MP1nullDomain: DefaultnullAdmin: kurtzpgnullPolicy has been edited: Update a Exceptions Policy shared policy Central Exception PolicynullCentral Exception Policy

I keep seeing the word 'null' where I would expect to see a delimiter.

I'm not seeing any configuration screens in SEP to change delimiters....

Anyone else seen this one?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎07-31-2016 06:01 PM

Here's the solution we obtained from symantec:

Add this line on the conf.properties :
scm.extlog.deli=,

Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat

Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎07-31-2016 06:01 PM

Here's the solution we obtained from symantec:

Add this line on the conf.properties :
scm.extlog.deli=,

Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat

Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

wegscd
Contributor
‎09-22-2016 04:33 AM

This was the fix we needed!

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎06-27-2016 04:36 PM

This looks like an issue with file encoding and/or moving file between systems. Is this how the file looks like on the source machine as well? Is your SEP admin doing some weird copy/paste?

If this is indeed how your data will end up looking like, I suggest creating a local copy of transforms.conf and adding to each space delimiter in REGEXes and optional match for null. Something like this: [\s*|null]

0 Karma
Reply
Solved! Jump to solution

wegscd
Contributor
‎06-28-2016 06:28 AM

That's the way it is on the source system. Pursuing with Symantec; the format does not match what the TA expects; it's almost gotta be some setting hidden in the Symantec config....

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...