Field Extracts not working for Darktrace Connector

ccsfdave · ‎03-08-2018

I have the data coming in from the Darktrace appliance to a syslog server. My input is:

[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log]
index = my_index
sourcetype = darktrace
host_segment = 4

The data is coming into Splunk however the field extraction is not working.

In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.

Any suggestions?

cmccririe · ‎03-27-2018

What does your props.conf file look like?

Are you using KV_MODE = JSON in the darktrace stanza?

deepashri_123 · ‎03-08-2018

Hey ccsfdave,

Try running this command:
./splunk cmd btool props list --debug
This will help you know what config default or local are being used.

Hope this helps!!

ccsfdave · ‎03-08-2018

@deepshri_123 what I have found is that if I put this in the SPL it works. Now how do I do the same in the conf files?

rex "(^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData

deepashri_123 · ‎03-08-2018

Can u share the sample log?

Join the Conversation