All Apps and Add-ons

Help with darktrace extraction with darktrace connector



I have a problem with daktrace collector.

Monitor logs Darktrace

Logs Darktrace

disabled = false
recursive = true
index = darktrace
sourcetype = darktrace:syslog
whitelist = \.log$
host_segment = 4
The data arrives in Splunk However the field of extraction does not work.
the conf props.conf  in .../Darktrace/defaults/ in syslog is:
pulldown_type = true
KV_MODE = json
category = Structured
description = Darktrace JSON syslog format.
SEDCMD-remove_header = s/^[^\{]+//

I have an architecture with utility server, search head, cluster indexers, syslog+UF (darktrace).
I need some help, please.
Thank you in advance.

0 Karma

Path Finder

Hi All,

Was the issue resolved. I ask as I currently have extractions issues but not having any luck with resolving it. 

0 Karma



How are you sending Darktrace logs to Splunk? When I deployed the connector I have used a TCP port to perform the input. The props.conf in default folder is just like yours. But in the local folder there are some other configs:


LINE_BREAKER = ([\r\n]+)
disabled = false

My inputs.conf:

connection_host = dns
index = darktrace
sourcetype = darktrace
0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...