All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working

alexlomas
Path Finder
‎07-30-2015 06:10 AM

I found that the canned extractions for [field_extraction_for_agt_risk] and [field_extraction_for_agt_behavior] were not working with Splunk 6.2.3 and SEP manager v 12.1.4104.4130.

It looks like the last couple of fields for each were missing, in my case that's category_set, category_type, File_Size & Device_ID. I modified the regexes as below to make the last two fields optional. The pre-built dashboards now work correctly. I don't know if "something" is wrong in the versions, regexes, or logfiles themeselves, but if the developer sees this perhaps they can comment 🙂

[field_extraction_for_agt_behavior]
REGEX = (\s*'[^']*'|\s*[^,]*)(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1})?
FORMAT = Severity::$2 Host_Name::$3 Action::$4 Description::$5 API::$6 Begin_Time::$7 End_Time::$8 Rule_Name::$9 Caller_Process_ID::$10 Caller_Process_Name::$11 Return_Address::$12 Return_Module::$13 Parameter::$14 User_Name::$15 Domain_Name::$16 Action_Type::$17 File_Size::$18 Device_ID::$19

[field_extraction_for_agt_risk]
REGEX = (\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1},Application\sversion:\s(.*),Application\stype:([^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1})?
FORMAT = Risk_Action::$2 IP_Address::$3 Computer_Name::$4 Source::$5 Risk_Name::$6 Occurrences::$7 File_Path::$8 Description::$9 Actual_Action::$10 Requested_Action::$11 Secondary_Action::$12 Event_Time::$13 Event_Insert_Time::$14 End_Time::$15 Last_Update_Time::$16 Domain_Name::$17 Group_Name::$18 Server_Name::$19 User_Name::$20 Source_Computer_Name::$21 Source_Computer_IP::$22 Disposition::$23 Download_site::$24 Web_domain::$25 Downloaded_by::$26 Prevalence::$27 Confidence::$28 URL_Tracking_Status::$29 First_Seen::$31 Sensitivity::$32 Reason_for_white_listing::$33 Application_Hash::$34 Hash_Type::$35 Company_Name::$36 Application_Name::$37 Application_Version::$38 Application_Type::$39 File_Size::$40 Category_set::$41 Category_type::$42
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:06 PM

Alright, I guess it IS a bug and we will fix in the next release. The difference must stem from a difference in SEP configuration.

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:08 PM

OK - let me know if you want file samples offline.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 02:14 PM

woud love some samples. thanks!

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-31-2015 12:27 AM

Not quite sure how to mail them over - we have a support contract so if you can see me in the CRM you can pull out my email address I guess.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:53 PM

A new reply to an answer on Splunk Add-on for Symantec Endpoint Protection: Canned field extractions not working was posted by alexlomas on Splunk Answers:

Awesome - are any of the other field extractions affected?

On a semi-related topic: how is the malware lookup supposed to work? Or rather, in which reports/panels is it used?

I might have been too hasty, please respond to question below to clarify.

re: malware lookup - it is used to map to CIM category field. TA is focused on getting data into Splunk and does not come with built in visual components. If you have ES, this data will show up in Malware related dashboards.

0 Karma
Reply
Solved! Jump to solution

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-30-2015 01:45 PM

To confirm: the fields were not being extracted or missing in your logs?

0 Karma
Reply
Solved! Jump to solution

alexlomas
Path Finder
‎07-30-2015 02:03 PM

The fields are not in the logs - I modified the extractions to make the last two fields for both files optional with a (?: ... )?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...