ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Old Endpoint Protection events appear in ICDx event archives


Article ID: 213715


Updated On:




Searching the ICDx archive shows some events from the Symantec Endpoint Protection Manager (SEPM) collector with a Collected Time and Event Time far apart from each other:



On initial configuration and startup, the SEPM collector will collect all available events from the SEPM database if configured to do so. Following initial data collection, only new events since the last collector checkpoint will be collected.


Release : 1.4

Component : SEPM collector


If events with a significant gap between Event Time and Collected Time appear in the ICDx data archive, these events were returned by the SEPM database at the time logged in the Collected Time field.

It the SEPM database continues to return old events to the ICDx collector, please export the events in question to a json file via the "down arrow" icon and open a support case for the ICDx product.