Dear Kishorilal,
I've modified the message a bit on Splunk Consultant's request.
blocked=$BLOCKED$, src=$ENDPOINT_MACHINE$, filename=$FILE_NAME$, id=$INCIDENT_ID$, policy=$POLICY$, protocol=$PROTOCOL$, dest=$RECIPIENT$, sender=$SENDER$, severity=$SEVERITY$, subject=$SUBJECT$, target=$TARGET$, violations=$MATCH_COUNTS$, app=symantec:dlp
Now, the problem is that two message feilds are not getting resolved:
1. dest=
2. violations=
See below example event:
Mar 23 16:56:07 abc.abc.com abc.abc.com blocked=None, src=abcmachine, filename=N/A, id=275122, policy=Splunk Test Policy, protocol=Endpoint Email/SMTP, dest=[UNKNOWN VARIABLE: RECIPIENT], sender=abc@abc.com, severity=1:High, subject=FW: , target=N/A, violations=[UNKNOWN VARIABLE: MATCH_COUNTS], app=symantec:dlp
Is there anything I need to change in the message as the values are not getting fetched by the message.