Hello All,
I am troubleshooting an issue with the Symantec TA. Fields are not being extracted correctly and I am stumped as to why. I can take the regex out of transforms and put it directly into the search bar and it works like a champ and all fields are extracted correctly but it is not being done automatically. I even went as far as to "extract new fields" and use the regex from transforms. What is strange is that this failed to automatically extract the fields too. Permissions were set to global and i was searching in verbose mode. In addition the sourcetype is correct because i can search on that sourcetype and there are events.
Sample source from Transforms and props.
[field_extraction_for_agt_behavior]
# The regular expression consists of repeated shorter regex in below form:
# (?[[sep_file_field]])
# All those regex are joined by ",\s*" which is a comma actually.
# The [[sep_file_field]] is referring modular regex "sep_file_field". Refer to Splunk Documentation for detail about modular regex.
# The last two fields "File_Size" and "Device_ID" are optional.
REGEX = ^(?i)(?:[[sep_file_prefix]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),?\s*(?[[sep_file_field]])?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Begin:\s*(?[[sep_file_field]]))?,\s*(?:End:\s*(?[[sep_file_field]]))?,\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?[[sep_file_field]]),\s*(?:Domain:\s*(?[[sep_file_field]]))?,\s*(?:Action\sType:\s*(?[[sep_file_field]]))?(?:,\s*File\ssize\s\(bytes\):\s*(?[[sep_file_field]]),\s*Device\sID:\s*(?[[sep_file_field]]))?$
[symantec:ep:behavior:file]
TRANSFORMS-nullqueueheader = sep_file_header
#KV_MODE = none
pulldown_type = true
category = Network & Security
description = Symantec Endpoint Protection agent behavior events
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
REPORT-field_extraction_for_agt_behavior = field_extraction_for_agt_behavior, process_from_caller_process_name, caller_md5_from_description
FIELDALIAS-vendor_action_SEP_behavior_vendor_action = vendor_action as SEP_behavior_vendor_action
↧