cancel
Showing results for 
Search instead for 
Did you mean: 

SQL Table changes for DLP_EventView table?

Hi All,

We currently use Splunk to index some data for DLP events but the SQL queries have stopped working since upgrading DLP to version 11

The queries are as follows:

 

select [DLP_EventView].[UTCTime], [DLP_EventView].[EventRowID], 
[DLP_EventView].[Score], [DLP_EventView].[EventType], [DLP_EventView].[UserName], 
[DLP_EventView].[ComputerName], [DLP_EventView].[ProcessInfo_FileName], 
[DLP_EventView].[FocusDisplay], [DLP_EvidenceTypeAndValue].[EvidenceValue], 
[DLP_EventView].[TotalContentSize] 
from [DLP_EventView] 
left join [DLP_EvidenceTypeAndValue] on [DLP_EventView].[EventRowID] = [DLP_EvidenceTypeAndValue].[EventRowID]
where [DLP_EventView].[UTCTime] > DATEADD(day, -24, GETDATE())

From what i can tell, the table DLP_EventView no longer is being populated by DLP events and my guess is that the underlying SQL tables have changed. (We can see teh events in McAfee report viewer so we confident the reports are being logged)

Any help on re-writing this query to get access to the logs via SQL will be much appreciated.

 

 

 

1 Reply
Highlighted
IanMFE
Level 8
Report Inappropriate Content
Message 2 of 2

Re: SQL Table changes for DLP_EventView table?

Try creating a query within ePO. Once you are satisfied with the results, save the Query, and then select Action -> View SQL. Use that SQL for your splunk query.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator