All Apps and Add-ons

Field Extracts not working for Darktrace Connector

ccsfdave
Builder

I have the data coming in from the Darktrace appliance to a syslog server. My input is:

[monitor:///var/log/syslog/da-hoj-darktrace/darktrace-2018-*.log]
index = my_index
sourcetype = darktrace
host_segment = 4

The data is coming into Splunk however the field extraction is not working.

In props I see that it is trying to use json as an extraction, and the data lends to me believing that that should work however, it is not.

Any suggestions?

0 Karma

cmccririe
Splunk Employee
Splunk Employee

What does your props.conf file look like?

Are you using KV_MODE = JSON in the darktrace stanza?

0 Karma

deepashri_123
Motivator

Hey ccsfdave,

Try running this command:
./splunk cmd btool props list --debug
This will help you know what config default or local are being used.

Hope this helps!!

0 Karma

ccsfdave
Builder

@deepshri_123 what I have found is that if I put this in the SPL it works. Now how do I do the same in the conf files?

rex "(^[^\{]+)(?m)(?<jsonData>.+)" | spath input=jsonData 

deepashri_123
Motivator

Can u share the sample log?

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...