I have the data coming in from the Darktrace appliance to a syslog server. My input is:
[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log]
index = my_index
sourcetype = darktrace
host_segment = 4
The data is coming into Splunk however the field extraction is not working.
In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.
Any suggestions?
What does your props.conf file look like?
Are you using KV_MODE = JSON in the darktrace stanza?
Hey ccsfdave,
Try running this command:
./splunk cmd btool props list --debug
This will help you know what config default or local are being used.
Hope this helps!!
@deepshri_123 what I have found is that if I put this in the SPL it works. Now how do I do the same in the conf files?
rex "(^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData
Can u share the sample log?