I make sure the search results can return the results which is within 24h period as expected.

I am trying to use the prebuilt panel included with Splunk add-on for Symantec DLP - "symantec_dlp_top_10_incident_senders_in_last_24h" to show the particular intertesed senders who caused the incidents.

The following is the context of prebuilt panel of "symantec_dlp_top_10_incident_senders_in_last_24h". I expect they shall be correct, without having any further modification?

  <query>sourcetype="symantec:dlp:syslog" earliest=-24h  | top limit=10 showperc=false sender</query>

Then i added the prebuilt panel to dashboards in order to view the results, but no luck.

In fact, I tried all the prebuilt panels included with Splunk add-on for Symantec DLP as follows.

symantec_dlp_activities_by_action_in_last_24h
symantec_dlp_severity_distribution_in_last_24h
antec_dlp_top_10_incident_senders_in_last_24h
antec_dlp__severity_distribution_in_last_24h

The above panels are found in > Splunk Web > Settings > User interface > Prebuilt panels. Again I expect they shall be correct, without having any further modification?

FYI: As per the official instructions, I have specified the following variables to extract from my Symantec DLP system and send them to Splunk.

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$