I found that the canned extractions for [field_extraction_for_agt_risk] and [field_extraction_for_agt_behavior] were not working with Splunk 6.2.3 and SEP manager v 12.1.4104.4130.
It looks like the last couple of fields for each were missing, in my case that's category_set, category_type, File_Size & Device_ID. I modified the regexes as below to make the last two fields optional. The pre-built dashboards now work correctly. I don't know if "something" is wrong in the versions, regexes, or logfiles themeselves, but if the developer sees this perhaps they can comment 🙂
[field_extraction_for_agt_behavior]
REGEX = (\s*'[^']*'|\s*[^,]*)(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:(?:,(\s*'[^']*'|\s*[^,]*)){1}(?:,(\s*'[^']*'|\s*[^,]*)){1})?
FORMAT = Severity::$2 Host_Name::$3 Action::$4 Description::$5 API::$6 Begin_Time::$7 End_Time::$8 Rule_Name::$9 Caller_Process_ID::$10 Caller_Process_Name::$11 Return_Address::$12 Return_Module::$13 Parameter::$14 User_Name::$15 Domain_Name::$16 Action_Type::$17 File_Size::$18 Device_ID::$19
[field_extraction_for_agt_risk]
REGEX = (\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1},Application\sversion:\s(.*),Application\stype:([^,]*)(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1}(?:,(\s*[^,']*'[^']*'|\s*[^,"]*"[^"]*"|\s*[^,]*)){1})?
FORMAT = Risk_Action::$2 IP_Address::$3 Computer_Name::$4 Source::$5 Risk_Name::$6 Occurrences::$7 File_Path::$8 Description::$9 Actual_Action::$10 Requested_Action::$11 Secondary_Action::$12 Event_Time::$13 Event_Insert_Time::$14 End_Time::$15 Last_Update_Time::$16 Domain_Name::$17 Group_Name::$18 Server_Name::$19 User_Name::$20 Source_Computer_Name::$21 Source_Computer_IP::$22 Disposition::$23 Download_site::$24 Web_domain::$25 Downloaded_by::$26 Prevalence::$27 Confidence::$28 URL_Tracking_Status::$29 First_Seen::$31 Sensitivity::$32 Reason_for_white_listing::$33 Application_Hash::$34 Hash_Type::$35 Company_Name::$36 Application_Name::$37 Application_Version::$38 Application_Type::$39 File_Size::$40 Category_set::$41 Category_type::$42
... View more