Archive

why is my prebuilt panel included with Splunk add-on for Symantec DLP returning no results?

I make sure the search results can return the results which is within 24h period as expected.
alt text

I am trying to use the prebuilt panel included with Splunk add-on for Symantec DLP - "symantecdlptop10incidentsendersinlast24h" to show the particular intertesed senders who caused the incidents.

The following is the context of prebuilt panel of "symantecdlptop10incidentsendersinlast24h". I expect they shall be correct, without having any further modification?

  <query>sourcetype="symantec:dlp:syslog" earliest=-24h  | top limit=10 showperc=false sender</query>

Then i added the prebuilt panel to dashboards in order to view the results, but no luck.
alt text

In fact, I tried all the prebuilt panels included with Splunk add-on for Symantec DLP as follows.

symantecdlpactivitiesbyactioninlast24h
symantec
dlpseveritydistributioninlast24h
antec
dlptop10incidentsendersinlast24h
antec
dlp_severitydistributioninlast_24h

The above panels are found in > Splunk Web > Settings > User interface > Prebuilt panels. Again I expect they shall be correct, without having any further modification?

FYI: As per the official instructions, I have specified the following variables to extract from my Symantec DLP system and send them to Splunk.

Message = ID: $INCIDENTID$, Policy Violated: $POLICY$, Rules: $POLICYRULES$, Count: $MATCHCOUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILENAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Pls check my answer to one of your other question.

You need to install https://splunkbase.splunk.com/app/1314/ to see the dashboard/pre-built panels in addition to installing the TA - https://splunkbase.splunk.com/app/3029/

https://docs.splunk.com/Documentation/AddOns/released/SymantecDLP/Installationoverview

Also, if you use diff sourcetype/index, you may need to adjust them to match with DLP Add-on/app.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Pls check my answer to one of your other question.

You need to install https://splunkbase.splunk.com/app/1314/ to see the dashboard/pre-built panels in addition to installing the TA - https://splunkbase.splunk.com/app/3029/

https://docs.splunk.com/Documentation/AddOns/released/SymantecDLP/Installationoverview

Also, if you use diff sourcetype/index, you may need to adjust them to match with DLP Add-on/app.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If this has helped, can you pls accept the answer to close tracking?

0 Karma

thank you for your answer which really helps.

0 Karma

alt text

Please ignore the second photo, and refer to this one instead.

0 Karma