I noticed that some fields within the Splunk for Symantec sourcetype=symantec:ep:security:file is not being properly extracted. For example, the Applications_Name field has time values:
2017-11-14 21:28:57
2017-11-14 21:31:29
begin_Time has protocol values:
ICMP
TCP
UDP
as well as some other fields with values that aren't matching up. Anyone else having this issue?
Thx
I do not believe these are fields that come with this app; they do not exist on my deployment, nor was I able to find "Applications_Name" anywhere in my servers.
I suspect these fields may have been locally grown, I suggest looking up their attributes/owner under field settings.