Download topic as PDF
Format specifications for event types for the Splunk Add-on for Symantec DLP
The Symantec DLP add-on supports Key Value pair format and extracts related information in the specified format. Users can include or exclude various event fields so as to extract information as needed. Splunk has built the addon using the following format:
| application_user="$APPLICATION_USER$" |
| attach_file_name="$ATTACHMENT_FILE_NAME$" |
| blocked="$BLOCKED$" |
| dataowner_name="$DATAOWNER_NAME$" |
| dataowner_email="$DATAOWNER_EMAIL$" |
| destination_ip="$DESTINATION_IP$" |
| device_instance_id="$ENDPOINT_DEVICE_ID$" |
| endpoint_location="$ENDPOINT_LOCATION$" |
| endpoint_machine="$ENDPOINT_MACHINE$" |
| endpoint_user_name="$ENDPOINT_USERNAME$" |
| path="$PATH$" |
| file_name="$FILE_NAME$" |
| parent_path="$PARENT_PATH$" |
| incident_id="$INCIDENT_ID$" |
| machine_ip="$MACHINE_IP$" |
| incident_snapshot="$INCIDENT_SNAPSHOT$" |
| match_count="$MATCH_COUNT$" |
| occured_on="$OCCURRED_ON$" |
| policy="$POLICY$" |
| policy_rules="$RULES$" |
| protocol="$PROTOCOL$" |
| quarantine_parent_path="$QUARANTINE_PARENT_PATH$" |
| recipients="$RECIPIENTS$" |
| reported_on="$REPORTED_ON$" |
| scan_date="$SCAN$" |
| sender="$SENDER$" |
| server="$MONITOR_NAME$" |
| severity="$SEVERITY$" |
| status="$STATUS$" |
| subject="$SUBJECT$" |
| target="$TARGET$" |
| url="$URL$" |
| user_justification="$USER_JUSTIFICATION$" |
Last modified on 12 January, 2022
|
PREVIOUS Source types for the Splunk Add-on for Symantec DLP |
NEXT Release notes for the Splunk Add-on for Symantec DLP |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!