https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471458#M57944 <P>Hi all, We have installed the darktrace app in the search engine and we have confirmed the data is being sent from darktrace on the relevant port but we have not got any data in the dashboard. the input.conf and props.conf are below but we cannot see why the data is not being populated. </P> <P>local inputs.conf<BR /> [tcp://10511]<BR /> connection_host = dns<BR /> index = darktrace<BR /> sourcetype = darktrace<BR /> local props.conf<BR /> [darktrace]<BR /> DATETIME_CONFIG =<BR /> INDEXED_EXTRACTIONS = json<BR /> LINE_BREAKER = ([\r\n]+)<BR /> NO_BINARY_CHECK = true<BR /> disabled = false</P> <P>can someone advise why we cant see the data?</P> Wed, 30 Sep 2020 03:28:15 GMT aoweneoecoop 2020-09-30T03:28:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471458#M57944 <P>Hi all, We have installed the darktrace app in the search engine and we have confirmed the data is being sent from darktrace on the relevant port but we have not got any data in the dashboard. the input.conf and props.conf are below but we cannot see why the data is not being populated. </P> <P>local inputs.conf<BR /> [tcp://10511]<BR /> connection_host = dns<BR /> index = darktrace<BR /> sourcetype = darktrace<BR /> local props.conf<BR /> [darktrace]<BR /> DATETIME_CONFIG =<BR /> INDEXED_EXTRACTIONS = json<BR /> LINE_BREAKER = ([\r\n]+)<BR /> NO_BINARY_CHECK = true<BR /> disabled = false</P> <P>can someone advise why we cant see the data?</P> Wed, 30 Sep 2020 03:28:15 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471458#M57944 aoweneoecoop 2020-09-30T03:28:15Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471459#M57945 <P>I have managed to resolve this</P> Tue, 31 Dec 2019 11:10:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471459#M57945 aoweneoecoop 2019-12-31T11:10:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471460#M57946 <P>@aoweneoecoop To help future readers, please explain how you resolved the problem.</P> Tue, 31 Dec 2019 13:39:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471460#M57946 richgalloway 2019-12-31T13:39:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471461#M57947 <P>Hi,</P> <P>I analized Darktrace dashboard queries and my current json syslog is not including fields "breachUrl" or "modbreachUrl".</P> <P>In most of queries is written .... <CODE>| eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl |</CODE> ... and this makes empty all queries because is deleting all logs without breachUrl and modbreachUrl</P> <P>Try to add manually the flag <STRONG>keepempty=true</STRONG> to not to delete logs with these empty fields.<BR /> To make it works, all dashboard queries should add this anytime dedup appears: </P> <P><CODE>| eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl keepempty=true |</CODE></P> Thu, 20 Feb 2020 09:54:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Darktrace-connector-not-showing-data-on-dashboard/m-p/471461#M57947 crebollorodrigu 2020-02-20T09:54:16Z