Solved: What's the role of category and description in the...

danielbb · ‎11-08-2019

I see the following in the /Splunk_TA_symantec-ep props.conf -

[symantec:ep:scan:file]
TRANSFORMS-nullqueueheader = sep_file_header
KV_MODE = none
pulldown_type = true
category = Network & Security
description = Symantec Endpoint Protection agent scan events
MAX_TIMESTAMP_LOOKAHEAD = 32

What's the role of category and description? It would be nice to have them as fields.

FrankVl · ‎11-08-2019

Those are properties of the sourcetype. Have a look at the sourcetypes through your Splunk web GUI -> settings -> sourcetypes.

If you want to set fields like that for this data, you can do so using EVAL statements in your props.conf.

View solution in original post

FrankVl · ‎11-08-2019

Those are properties of the sourcetype. Have a look at the sourcetypes through your Splunk web GUI -> settings -> sourcetypes.

If you want to set fields like that for this data, you can do so using EVAL statements in your props.conf.

danielbb · ‎11-13-2019

But you know, when I set my own sourcetypes in props.conf I never set the category.... maybe I should.

FrankVl · ‎11-13-2019

If you mostly work through config files, there is not too much value to it I believe. It is mostly something that is used in the GUI. For example when you want to select a sourcetype while going through the Add Data 'wizard'.

danielbb · ‎11-14-2019

Right, but the users view it via the GUI - might be useful for them.

FrankVl · ‎11-14-2019

Well, the average user typically doesn't look at the properties of the source type I think.

Adding this kind of extra information to event fields would indeed be useful, that I fully agree with, but that is something slightly different as I mentioned in my answer.

What's the role of category and description in the TAs?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes