Format specifications for event types for the Splunk Add-on for Symantec DLP
The Symantec DLP add-on supports Key Value pair format and extracts related information in the specified format. Users can include or exclude various event fields so as to extract information as needed. Splunk has built the addon using the following format:
application_user="$APPLICATION_USER$" |
attach_file_name="$ATTACHMENT_FILE_NAME$" |
blocked="$BLOCKED$" |
dataowner_name="$DATAOWNER_NAME$" |
dataowner_email="$DATAOWNER_EMAIL$" |
destination_ip="$DESTINATION_IP$" |
device_instance_id="$ENDPOINT_DEVICE_ID$" |
endpoint_location="$ENDPOINT_LOCATION$" |
endpoint_machine="$ENDPOINT_MACHINE$" |
endpoint_user_name="$ENDPOINT_USERNAME$" |
path="$PATH$" |
file_name="$FILE_NAME$" |
parent_path="$PARENT_PATH$" |
incident_id="$INCIDENT_ID$" |
machine_ip="$MACHINE_IP$" |
incident_snapshot="$INCIDENT_SNAPSHOT$" |
match_count="$MATCH_COUNT$" |
occured_on="$OCCURRED_ON$" |
policy="$POLICY$" |
policy_rules="$RULES$" |
protocol="$PROTOCOL$" |
quarantine_parent_path="$QUARANTINE_PARENT_PATH$" |
recipients="$RECIPIENTS$" |
reported_on="$REPORTED_ON$" |
scan_date="$SCAN$" |
sender="$SENDER$" |
server="$MONITOR_NAME$" |
severity="$SEVERITY$" |
status="$STATUS$" |
subject="$SUBJECT$" |
target="$TARGET$" |
url="$URL$" |
user_justification="$USER_JUSTIFICATION$" |
Source types for the Splunk Add-on for Symantec DLP | Release notes for the Splunk Add-on for Symantec DLP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!