I noticed that some fields within the Splunk for Symantec sourcetype=symantec:ep:security:file is not being properly extracted. For example, the Applications_Name field has time values:
2017-11-14 21:28:57
2017-11-14 21:31:29
begin_Time has protocol values:
ICMP
TCP
UDP
as well as some other fields with values that aren't matching up. Anyone else having this issue?
Thx
↧