All Apps and Add-ons

Help with darktrace extraction with darktrace connector



I have a problem with daktrace collector.

Monitor logs Darktrace

Logs Darktrace

disabled = false
recursive = true
index = darktrace
sourcetype = darktrace:syslog
whitelist = \.log$
host_segment = 4
The data arrives in Splunk However the field of extraction does not work.
the conf props.conf  in .../Darktrace/defaults/ in syslog is:
pulldown_type = true
KV_MODE = json
category = Structured
description = Darktrace JSON syslog format.
SEDCMD-remove_header = s/^[^\{]+//

I have an architecture with utility server, search head, cluster indexers, syslog+UF (darktrace).
I need some help, please.
Thank you in advance.

0 Karma

Path Finder

Hi All,

Was the issue resolved. I ask as I currently have extractions issues but not having any luck with resolving it. 

0 Karma



How are you sending Darktrace logs to Splunk? When I deployed the connector I have used a TCP port to perform the input. The props.conf in default folder is just like yours. But in the local folder there are some other configs:


LINE_BREAKER = ([\r\n]+)
disabled = false

My inputs.conf:

connection_host = dns
index = darktrace
sourcetype = darktrace
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...