At splunk search, index=_internal log_level=ERROR earliest="%m/%d/%Y:%H:%M:%S" latest="%m/%d/%Y:%H:%M:%S"

      example : from November 12th to 15th at 8pm

                index=_internal log_level=ERROR earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

      see : http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

   If there are fewer than 10,000 lines to export, then click "Actions>Export Results..." from the Search or Charting views, after a search has finished running.

   If you cannot find Actions>Export Results... in the Splunk UI, add "| outputcsv output.csv" to your search.

   After the query runs, you should be able to find file output.csv in $SPLUNK_HOME/ var/run/splunk/csv

* Application setup logs are written in $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_setup.log

* ATP Manager API logs are written at $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_atp_manager_api.log

* Email Secuirty.cloud API logs are written at $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/ta_symantec_email_security_cloud_api.log

  For packing up logs: tar cjfv /tmp/SplunkAddOnLogs.tar.bz2 $SPLUNK_HOME/var/log/TA-symantec_atp/local/logs/*

If logs contain the error "invalid key in stanza" multiple times, collect output from "splunk btool check --debug"

On the SEDR side, is Splunk connector status still Critical? Matching logs would be in

atp-splunk_connector.log again, which can either be displayed in support CLI or collected as part of a SEDR diagnostic