I'm having a little bit of a problem with the fields not being correctly formatted from the SEP EP logs and would really appreciate a little help & guidance.
Here is a brief environment summary:
Here is a summary of what I have done:
Inputs configured in the deployment app as recommended, defining the monitor index as symantecep, .e.g.:
[monitor://C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\dump\scm_admin.tmp]
index = symantecep
sourcetype = symantec:ep:admin:file
disabled = 0
App successfully deployed to the SEP client via a server class
The logs are appearing on the search head in the index specified but the fields are not being extracted.
I have attached screenshots of how the search results appear in the search head.
My assumption is that the app runs on the forwarder which collects the information, assigns source types, carries out field extraction, and then forwards them to the indexer, so please correct me if that's wrong.
Thank you for taking a look at my little SEP problem.
I'll deploy the app to the indexer in the morning and give that a go. That does makes sense as it's the indexer that's processing the logs with the search head then going through it. I'm still relatively new to Splunk so I'm learning as I'm going along.
And yes, I meant the SEP Manager. I was referring to it being a forwarder so a client in the eyes of Splunk.
Thanks again and hopefully I'll come back tomorrow with good news.
Installing the app on the forwarder and the search head in the end resolved the problem, which was largely down to me not fully appreciating that an app has multiple components.
I have also deployed it back to the indexer for completeness.
Thank you for your help!
I'm afraid that's not fixed the issue.
The app has been successfully deployed to the indexer but the logs still appear as they did in the original screenshots.
Any suggestions on where I should look for troubleshooting?