I see the following in the /Splunk_TA_symantec-ep
props.conf
-
[symantec:ep:scan:file]
TRANSFORMS-nullqueueheader = sep_file_header
KV_MODE = none
pulldown_type = true
category = Network & Security
description = Symantec Endpoint Protection agent scan events
MAX_TIMESTAMP_LOOKAHEAD = 32
What's the role of category
and description
? It would be nice to have them as fields.
Those are properties of the sourcetype. Have a look at the sourcetypes through your Splunk web GUI -> settings -> sourcetypes.
If you want to set fields like that for this data, you can do so using EVAL statements in your props.conf.
Those are properties of the sourcetype. Have a look at the sourcetypes through your Splunk web GUI -> settings -> sourcetypes.
If you want to set fields like that for this data, you can do so using EVAL statements in your props.conf.
But you know, when I set my own sourcetypes in props.conf
I never set the category
.... maybe I should.
If you mostly work through config files, there is not too much value to it I believe. It is mostly something that is used in the GUI. For example when you want to select a sourcetype while going through the Add Data 'wizard'.
Right, but the users view it via the GUI - might be useful for them.
Well, the average user typically doesn't look at the properties of the source type I think.
Adding this kind of extra information to event fields would indeed be useful, that I fully agree with, but that is something slightly different as I mentioned in my answer.