McAfee has modified the db schema in its latest release of EPO. There's a new table called EPExtendedEventMT and the syntax for the changes to your SQL statement in DB Connect needs to be as follows: [EPExtendedEventMT].[field_to_be_retrieved] as [desired_field_name_in_Splunk] We expect these changes to be supported in a future release of our TA. For now, follow the steps below. In order to capture the process name which has now been moved to a new table in the latest version , the query needs to be modified as follow. Replace [EPOEvents].[SourceProcessName] as [process] With [EPExtendedEventMT].[TargetName] as [process] After FROM [EOPEvents] Add left join [EPExtendedEventMT] on [EPOEvents].[AutoID] = [EPExtendedEventMT].[EventAutoID] ... View more

Download and install the Splunk add-on for Windows if you have not already done so. https://splunkbase.splunk.com/app/742/#/details It needs to be installed both where the Universal Forwarder is installed and on your Splunk Enterprise server. If you have a separate indexer and search head, then install on Search Head as well. The compressed file you download needs to be uncompressed and placed in the following directory : $Splunk_Home/etc/apps On the Universal Forwarder only, enabled data collection by setting the Disabled parameter in inputs.conf to 0. Restart your Universal Forwarder after editing inputs.conf using notepad. Check the following index for data depending on what you’re collecting. index=windows index=wineventlog index=perfmon ... View more