Splunk® Enterprise

Add Symantec Endpoint Protection data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for Symantec Endpoint Protection on your search heads

Follow these steps to install the Splunk Add-on for Symantec Endpoint Protection on your search heads.

Prepare your search heads

To automatically update the malware categories lookup file with the latest list of threats from Symantec, you must prepare the search heads. Perform the following steps on the search head cluster members:

  1. Remove the eventgen.conf file and all files in the Samples folder.
  2. Remove the inputs.conf file.

Install the app on the search head

To install the Splunk Add-on for SEP download the add-on from Splunkbase.

Then, complete the following steps:

  1. From the Splunk Web home screen, click the gear icon next to Apps.
  2. Click Install app from file.
  3. Locate the downloaded file and click Upload.
  4. If Splunk Enterprise prompts you to restart, do so.
  5. From the Splunk Web home screen, click the gear icon next to Apps.
  6. Find the add-on and click Edit properties.
  7. Change Visible to No.


To verify that your installation succeeded, check that the add-on is at $SPLUNK_HOME/etc/apps/<Splunk_TA_name_of_add-on>.

Last modified on 27 August, 2021
Install the Splunk Add-on for Symantec Endpoint Protection onto your forwarders   Install the Splunk Add-on for SEP onto your indexer cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters