I have the data coming in from the Darktrace appliance to a syslog server. My input is:
[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log] index = my_index sourcetype = darktrace host_segment = 4
The data is coming into Splunk however the field extraction is not working.
In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.