All Apps and Add-ons

Wrong assignment for field 'action' in ePO sourcetype?


Hi Team ,

in Splunk Add-on for McAfee you have query option in inputs (template\example) configuration : [EPOEvents].[ThreatActionTaken] as [vendor_action].
Then we have 2 neighbours in props.conf:
FIELDALIAS-vendor_action_for_mcafee_epo=action AS vendor_action
LOOKUP-action_for_mcafee_epo=epo_action_lookup vendor_action OUTPUT action

According to sequence of operations, value of vendor_action obtains the value of action, which is obviously NULL. As a result both action and vendor_action returns NULL.

Could you, please correct this or correct me, if I'm wrong 🙂

0 Karma


here is the props.conf statement I used to cobble together a decent "action" field:

| eval action=replace((replace((replace((case(
'ProductFamily'=="UDLP" OR 
match(lower('event_description'),"on-") OR 
match(lower('event_description'),"dll") OR 
match(lower('event_description'),"oss") OR 
match(lower('event_description'),"svm") OR 
match(lower('event_description'),"^scan") OR 
match(lower('event_description'),"policy") OR 
match(lower('event_description'),"service") OR 
match(lower('event_description'),"deferred") OR 
match(lower('event_description'),"update") OR 
match(lower('event_description'),"mcafee security") OR 
match(lower('event_description'),"protection \w+abled") OR
(match(lower('event_description'),"move") AND 'threat_handled'=="0"),lower('event_description'),

match(lower('event_description'),"pending") OR 
match(lower('event_description'),"unable to") OR
match(lower('event_description'),"not blocked") OR 
match(lower('event_description'),"would delete") OR 
match(lower('event_description'),"delete on reboot") OR 
(match(lower('event_description'),"handled") AND 'threat_handled'=="0") OR 
(match(lower('event_description'),"spam") AND match(lower('vendor_action'),"clean")) OR 
(match(lower('event_description'),"failed") AND NOT match(lower('event_description'),"deleted")) OR 
(match(lower('event_description'),"browser") AND NOT match(lower('ThreatName'),"web control violation")),"allowed",

match(lower('event_description'),"spam") OR 
match(lower('event_description'),"denied") OR 
match(lower('event_description'),"blocked") OR 
match(lower('event_description'),"handled") OR 
match(lower('event_description'),"deleted") OR 
match(lower('event_description'),"cleaned") OR 
match(lower('event_description'),"browser") OR
match(lower('event_description'),"quarantine") OR 
(match(lower('event_description'),"detected") AND 'threat_handled'=="1"),"blocked",

0 Karma


well, this was the GUI based statement i was building off of...tweak the pre-pended syntax to make it a props.conf config:

EVAL-action = ...

0 Karma


Hi Mary,

thank you, that's a great example.
What I'm trying to say - with described add-on configuration you should not get any value for fields vendor_action and action on Search head, even if you have vendor_action in events.
I see you use condition AND match(lower('vendor_action') - does your 'vendor_action' field fulfilled with values?

0 Karma

SplunkTrust does, unfortunately at this current job I no longer have access to the config files...I believe our admins at least start with stock TA/app deployments and customize to hell 😛

but I would say, if you have a stock TA/app and its weird, you could comment out the problem statements in the stock version then just make a quick custom app with only the things you need in it

for example you could make an app directory custom_$tech$, custom_mcafee_epo, and then drop local and metadata directories in and just the *.conf files you need in each plus the local.meta file

I could have sworn I had a post about making an IR app that gives you a nice little app shell...cant find it now sorry!

0 Karma

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!