All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Darktrace connector not showing data on dashboard

aoweneoecoop
Explorer
‎12-20-2019 02:06 AM

Hi all, We have installed the darktrace app in the search engine and we have confirmed the data is being sent from darktrace on the relevant port but we have not got any data in the dashboard. the input.conf and props.conf are below but we cannot see why the data is not being populated.

local inputs.conf
[tcp://10511]
connection_host = dns
index = darktrace
sourcetype = darktrace
local props.conf
[darktrace]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false

can someone advise why we cant see the data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aoweneoecoop
Explorer
‎12-31-2019 03:10 AM

I have managed to resolve this

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aoweneoecoop
Explorer
‎12-31-2019 03:10 AM

I have managed to resolve this

0 Karma
Reply
Solved! Jump to solution

crebollorodrigu
New Member
‎02-20-2020 01:54 AM

Hi,

I analized Darktrace dashboard queries and my current json syslog is not including fields "breachUrl" or "modbreachUrl".

In most of queries is written .... | eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl | ... and this makes empty all queries because is deleting all logs without breachUrl and modbreachUrl

Try to add manually the flag keepempty=true to not to delete logs with these empty fields.
To make it works, all dashboard queries should add this anytime dedup appears:

| eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl keepempty=true |

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2019 05:39 AM

@aoweneoecoop To help future readers, please explain how you resolved the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...