A noticeable lag when it comes to data feed collection. Generate a new cookie for the Email Security Cloud Splunk Application. 

Email Security.Cloud Splunk TA add-on

Instructions to manually reset Splunk App:

1. Log into your Splunk instance
2. In the Splunk UI navigate to “Settings > Data > Data inputs”
3. Under “Local inputs” select “Scripts”
4. In the “Filter” search box, search for “symantec_collect_atp.py”
5. Under the “Status” column of “symantec_collect_atp.py” click “Disable”
6. Navigate to the following file location:
   1. Windows: C:\Program Files\Splunk\etc\apps\TA-symantec_email\local\
   2. *nix: $SPLUNK_HOME/etc/apps/TA-symantec_email/local/
7. Open the file “symantec_email_setup.conf”
8. Change the following variables:
   1. enable_force_reset parameter = True
   2. force_reset_timestamp = <timestamp> (Note: Enter <timestamp> in yyyy-MM-ddTHH:mm:ssZ format.)
9. Go back to the Splunk UI and follow steps 1-4 to re-enable “symantec_collect_atp.py” by clicking “Enable” under the “Status” column.

Note: With the steps provided, a possibility of duplicate entries can happen especially going beyond the time the feed was functioning properly.