After installing the Symantec Add-On for Splunk, the Dashboard appears to show "search produced no results"
+ Symptom: In ATP UI, Splunk connector status is 'Critical'
data is not coming for incident data source
+ Symptom: In Splunk Enterprise UI, on "App: symantec ATP App for Splunk", on the Incident Report tab, below Host: All, the message "search produced no results" appears
+ Symantec ATP Add-on for Splunk v1.0.7-8
At splunk search, index=_internal log_level=ERROR earliest="%m/%d/%Y:%H:%M:%S" latest="%m/%d/%Y:%H:%M:%S"
example : from November 12th to 15th at 8pm
index=_internal log_level=ERROR earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
see : http://docs.splunk.com/Documen
If there are fewer than 10,000 lines to export, then click "Actions>Export Results..." from the Search or Charting views, after a search has finished running.
If you cannot find Actions>Export Results... in the Splunk UI, add "| outputcsv output.csv" to your search.
After the query runs, you should be able to find file output.csv in $SPLUNK_HOME/ var/run/splunk/csv
* Application setup logs are written in $SPLUNK_HOME/var/log/TA-symant
* ATP Manager API logs are written at $SPLUNK_HOME/var/log/TA-symant
* Email Secuirty.cloud API logs are written at $SPLUNK_HOME/var/log/TA-symant
For packing up logs: tar cjfv /tmp/SplunkAddOnLogs.tar.bz2 $SPLUNK_HOME/var/log/TA-symant
If logs contain the error "invalid key in stanza" multiple times, collect output from "splunk btool check --debug"
On the SEDR side, is Splunk connector status still Critical? Matching logs would be in
atp-splunk_connector.log again, which can either be displayed in support CLI or collected as part of a SEDR diagnostic