All Apps and Add-ons

Splunk for Symantec field extraction issue

jwalzerpitt
Influencer

I noticed that some fields within the Splunk for Symantec sourcetype=symantec:ep:security:file is not being properly extracted. For example, the Applications_Name field has time values:

2017-11-14 21:28:57
2017-11-14 21:31:29

begin_Time has protocol values:

ICMP
TCP
UDP

as well as some other fields with values that aren't matching up. Anyone else having this issue?

Thx

0 Karma

nychawk
Communicator

I do not believe these are fields that come with this app; they do not exist on my deployment, nor was I able to find "Applications_Name" anywhere in my servers.

I suspect these fields may have been locally grown, I suggest looking up their attributes/owner under field settings.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...