All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extracts not working for Darktrace Connector

ccsfdave
Builder
‎03-08-2018 07:59 AM

I have the data coming in from the Darktrace appliance to a syslog server. My input is:

[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log]
index = my_index
sourcetype = darktrace
host_segment = 4

The data is coming into Splunk however the field extraction is not working.

In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.

Any suggestions?

0 Karma
Reply

cmccririe
Splunk Employee
Splunk Employee
‎03-27-2018 08:02 AM

What does your props.conf file look like?

Are you using KV_MODE = JSON in the darktrace stanza?

0 Karma
Reply

deepashri_123
Motivator
‎03-08-2018 08:39 AM

Hey ccsfdave,

Try running this command:
./splunk cmd btool props list --debug
This will help you know what config default or local are being used.

Hope this helps!!

0 Karma
Reply

ccsfdave
Builder
‎03-08-2018 08:42 AM

@deepshri_123 what I have found is that if I put this in the SPL it works. Now how do I do the same in the conf files?

rex "(^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData
Reply

deepashri_123
Motivator
‎03-08-2018 08:51 AM

Can u share the sample log?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...