icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Splunk for Symantec
SHA256 checksum (splunk-for-symantec_103.tgz) 35aaef9a2170c3b4b91831e9739a0d611ac03fdf8100259ba25fce160b7f297b SHA256 checksum (splunk-for-symantec_102.tgz) 9332657f2422e9b6a1e1b9c5fc6918586af1a0e6b18481f8a67fb5624dff38d0 SHA256 checksum (splunk-for-symantec_101.tgz) ddcb06de039d1b75ab79203b2600375cd73b9a8e918a11735faa50935d4937d0 SHA256 checksum (splunk-for-symantec_10.tgz) 1a7d583000cdd43d8654d4108d9259130b218903c697efd542bd3edbc9a21214 SHA256 checksum (splunk-for-symantec_011-beta.tgz) fd050e97957ddd08b859174849a6eb5132d20d2d63324248843812ac1995cf1b SHA256 checksum (splunk-for-symantec_010-beta.tgz) c596ef4644fa9b1c08b1071f7ae4d9185d434ba5801448970f718d02b95651e6 SHA256 checksum (splunk-for-symantec_09-beta.tgz) e86054aba7c7d321d1626a1982308b6c7c50e3ee09b5b12c67fb9ea5dede674b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk for Symantec

This app has been archived. Learn more about app archiving.
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
View your Symantec Endpoint Protection data



Supported Products: Symantec Endpoint Protection 11 & 12
This app works on Splunk 4.3.x and 5.x

For setup help or any questions, please post them to answers.splunk.com
and tag it with SplunkforSymantec.

Change Log


  • Updated support information.


  • Fixed a bug in transforms.conf that caused field extractions not to work in a distributed environment


  • Fixed a bug in sep11 agent logs. Used a more consistent vocabulary across the app.


  • Small bug fixes

Beta 0.11

  • Fixed bug in TAs where log sourcetype was set as behavior instead of traffic

Beta 0.10

  • SEP 12 support
  • New Dashboards

Beta 0.9

  • Multiple dashboards to view firewall event data
  • Multiple dashbaords to view host event data
  • Dashboard to search for specific malware found by SEP


After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory. For single server Splunk instances, the TAs will be on the same server as the app. For distributed Splunk instances, the TAs just needs to go on the indexers and the app just goes on the search heads.

Configuring the TAs

Data can be received via syslog or by monitoring the SEP log files on the SEP Manager. To receive data over syslog, manually set the sourcetype for the associated data input to either 'sep11:log' or 'sep12:log'. To monitor the files directly, you should install a Splunk Universal Forwarder on your management console. You'll need to set the log file location in the inputs.conf file and enable the associated file inputs. An example inputs.conf file is provided for you in the apps default directory. It's called inputs.conf.local. The default path in inputs.conf assumes that the SEP Manager is installed in C:\Program Files\Symantec\Symantec Endpoint Protection Manager. Edit this path to the actual location of the SEP Manager if necessary.

Release Notes

Version 1.0.3
Aug. 5, 2013

Updated support information

Version 1.0.2
June 21, 2013

Fixed bug in transform.conf that caused field extractions not to work when indexer and search head are separate systems.

Version 1.0.1
April 28, 2013

Fixed a bug in sep11 agent logs. Used a more consistent vocabulary across the app.

Version 1.0
April 11, 2013

1.0 Release of the Splunk for Symantec app

Version 0.11 beta
March 10, 2013

Fixed bug in TAs where sourcetypes for traffic was mislabeled as behavior

Version 0.10 beta
Feb. 24, 2013

Support for SEP 12
New dashboards

Version 0.9 beta
Feb. 5, 2013


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.