Troubleshoot the Splunk Add-on for Symantec Endpoint Protection

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Cannot launch add-on

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Check if the add-on is intended to be visible or not in the Splunk Add-ons Troubleshooting topic.

Access the internal log files

To access the internal logs produced by this add-on, run this search.

index=_internal source="*ta_symantec-ep.log"

Malware categories are not up to date

If you have enabled the automatic updates for the malware category lookup file, but you notice that the data does not appear to be up to date, verify your automatic updates are successfully configured.

Check your $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/local/inputs.conf on your search heads to ensure that the scripted input is in the file and enabled (disabled = 0). If it is missing, you can set it up again in the UI or you can copy the relevant stanza from $SPLUNK_HOME/etc/apps/Splunk_TA_symantec-ep/default/inputs.conf and change disabled = 1 to disabled = 0.