Not a Splunk problem, but hopefully someone in the Splunk community has seen and solved it.
We're working on ingesting logs from Symantec Endpoint Manager. We intend to use the Splunk Add-on for Symantec Endpoint Protection, and per its recommendation, we intend to monitor a file on the SEP server.
I had the SEP admin grab a file, and it looks like this (this is in the actual file before indexing):
Time StampnullSite NamenullServer NamenullDomain NamenullAdmin NamenullEvent DescriptionnullObject Name
2016-03-31 14:17:17nullSite: Site ADCnullServer: ADC-SEP12MP1nullDomain: DefaultnullAdmin: kurtzpgnullPolicy has been edited: Update a Exceptions Policy shared policy Central Exception PolicynullCentral Exception Policy
I keep seeing the word 'null' where I would expect to see a delimiter.
I'm not seeing any configuration screens in SEP to change delimiters....
Anyone else seen this one?
Here's the solution we obtained from symantec:
Add this line on the conf.properties :
scm.extlog.deli=,
Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat
Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).
Here's the solution we obtained from symantec:
Add this line on the conf.properties :
scm.extlog.deli=,
Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat
Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).
This was the fix we needed!
This looks like an issue with file encoding and/or moving file between systems. Is this how the file looks like on the source machine as well? Is your SEP admin doing some weird copy/paste?
If this is indeed how your data will end up looking like, I suggest creating a local copy of transforms.conf and adding to each space delimiter in REGEXes and optional match for null. Something like this: [\s*|null]
That's the way it is on the source system. Pursuing with Symantec; the format does not match what the TA expects; it's almost gotta be some setting hidden in the Symantec config....