Dashboards & Visualizations

why is my prebuilt panel included with Splunk add-on for Symantec DLP returning no results?

splunkbeginner
Engager

I make sure the search results can return the results which is within 24h period as expected.
alt text

I am trying to use the prebuilt panel included with Splunk add-on for Symantec DLP - "symantec_dlp_top_10_incident_senders_in_last_24h" to show the particular intertesed senders who caused the incidents.

The following is the context of prebuilt panel of "symantec_dlp_top_10_incident_senders_in_last_24h". I expect they shall be correct, without having any further modification?

  <query>sourcetype="symantec:dlp:syslog" earliest=-24h  | top limit=10 showperc=false sender</query>

Then i added the prebuilt panel to dashboards in order to view the results, but no luck.
alt text

In fact, I tried all the prebuilt panels included with Splunk add-on for Symantec DLP as follows.

symantec_dlp_activities_by_action_in_last_24h
symantec_dlp_severity_distribution_in_last_24h
antec_dlp_top_10_incident_senders_in_last_24h
antec_dlp__severity_distribution_in_last_24h

The above panels are found in > Splunk Web > Settings > User interface > Prebuilt panels. Again I expect they shall be correct, without having any further modification?

FYI: As per the official instructions, I have specified the following variables to extract from my Symantec DLP system and send them to Splunk.

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

Tags (1)
0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Pls check my answer to one of your other question.

You need to install https://splunkbase.splunk.com/app/1314/ to see the dashboard/pre-built panels in addition to installing the TA - https://splunkbase.splunk.com/app/3029/

https://docs.splunk.com/Documentation/AddOns/released/SymantecDLP/Installationoverview

Also, if you use diff sourcetype/index, you may need to adjust them to match with DLP Add-on/app.

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls check my answer to one of your other question.

You need to install https://splunkbase.splunk.com/app/1314/ to see the dashboard/pre-built panels in addition to installing the TA - https://splunkbase.splunk.com/app/3029/

https://docs.splunk.com/Documentation/AddOns/released/SymantecDLP/Installationoverview

Also, if you use diff sourcetype/index, you may need to adjust them to match with DLP Add-on/app.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If this has helped, can you pls accept the answer to close tracking?

0 Karma

splunkbeginner
Engager

thank you for your answer which really helps.

0 Karma

splunkbeginner
Engager

alt text

Please ignore the second photo, and refer to this one instead.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...