All Apps and Add-ons

Has anyone seen the word 'null' in SEP logs rather than a delimiter?

wegscd
Contributor

Not a Splunk problem, but hopefully someone in the Splunk community has seen and solved it.

We're working on ingesting logs from Symantec Endpoint Manager. We intend to use the Splunk Add-on for Symantec Endpoint Protection, and per its recommendation, we intend to monitor a file on the SEP server.

I had the SEP admin grab a file, and it looks like this (this is in the actual file before indexing):

Time StampnullSite NamenullServer NamenullDomain NamenullAdmin NamenullEvent DescriptionnullObject Name
2016-03-31 14:17:17nullSite: Site ADCnullServer: ADC-SEP12MP1nullDomain: DefaultnullAdmin: kurtzpgnullPolicy has been edited: Update a Exceptions Policy shared policy Central Exception PolicynullCentral Exception Policy

I keep seeing the word 'null' where I would expect to see a delimiter.

I'm not seeing any configuration screens in SEP to change delimiters....

Anyone else seen this one?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

Here's the solution we obtained from symantec:

Add this line on the conf.properties :
scm.extlog.deli=,

Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat

Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).

View solution in original post

gjanders
SplunkTrust
SplunkTrust

Here's the solution we obtained from symantec:

Add this line on the conf.properties :
scm.extlog.deli=,

Run the Management Server Configuration Wizard
Go to the Manager Folder > Bin > Run sca.bat

Note that the wizard was run with no configuraiton changes in there, and after this the null disappeared.
Furthermore I've submitted a case to correct an invalid regex in the symantec application that was causing the fields to not be extracted on some files from the symantec server (after having the null removed).

wegscd
Contributor

This was the fix we needed!

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This looks like an issue with file encoding and/or moving file between systems. Is this how the file looks like on the source machine as well? Is your SEP admin doing some weird copy/paste?

If this is indeed how your data will end up looking like, I suggest creating a local copy of transforms.conf and adding to each space delimiter in REGEXes and optional match for null. Something like this: [\s*|null]

0 Karma

wegscd
Contributor

That's the way it is on the source system. Pursuing with Symantec; the format does not match what the TA expects; it's almost gotta be some setting hidden in the Symantec config....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...