Splunk® Supported Add-ons

Splunk Add-on for Symantec DLP

Format specifications for event types for the Splunk Add-on for Symantec DLP

The Symantec DLP add-on supports Key Value pair format and extracts related information in the specified format. Users can include or exclude various event fields so as to extract information as needed. Splunk has built the addon using the following format:

application_user="$APPLICATION_USER$"
attach_file_name="$ATTACHMENT_FILE_NAME$"
blocked="$BLOCKED$"
dataowner_name="$DATAOWNER_NAME$"
dataowner_email="$DATAOWNER_EMAIL$"
destination_ip="$DESTINATION_IP$"
device_instance_id="$ENDPOINT_DEVICE_ID$"
endpoint_location="$ENDPOINT_LOCATION$"
endpoint_machine="$ENDPOINT_MACHINE$"
endpoint_user_name="$ENDPOINT_USERNAME$"
path="$PATH$"
file_name="$FILE_NAME$"
parent_path="$PARENT_PATH$"
incident_id="$INCIDENT_ID$"
machine_ip="$MACHINE_IP$"
incident_snapshot="$INCIDENT_SNAPSHOT$"
match_count="$MATCH_COUNT$"
occured_on="$OCCURRED_ON$"
policy="$POLICY$"
policy_rules="$RULES$"
protocol="$PROTOCOL$"
quarantine_parent_path="$QUARANTINE_PARENT_PATH$"
recipients="$RECIPIENTS$"
reported_on="$REPORTED_ON$"
scan_date="$SCAN$"
sender="$SENDER$"
server="$MONITOR_NAME$"
severity="$SEVERITY$"
status="$STATUS$"
subject="$SUBJECT$"
target="$TARGET$"
url="$URL$"
user_justification="$USER_JUSTIFICATION$"
Last modified on 12 January, 2022
Source types for the Splunk Add-on for Symantec DLP   Release notes for the Splunk Add-on for Symantec DLP

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters