All Apps and Add-ons

Field Extracts not working for Darktrace Connector

ccsfdave
Builder

I have the data coming in from the Darktrace appliance to a syslog server. My input is:

[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log]
index = my_index
sourcetype = darktrace
host_segment = 4

The data is coming into Splunk however the field extraction is not working.

In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.

Any suggestions?

0 Karma

cmccririe
Splunk Employee
Splunk Employee

What does your props.conf file look like?

Are you using KV_MODE = JSON in the darktrace stanza?

0 Karma

deepashri_123
Motivator

Hey ccsfdave,

Try running this command:
./splunk cmd btool props list --debug
This will help you know what config default or local are being used.

Hope this helps!!

0 Karma

ccsfdave
Builder

@deepshri_123 what I have found is that if I put this in the SPL it works. Now how do I do the same in the conf files?

rex "(^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData 

deepashri_123
Motivator

Can u share the sample log?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...