All Apps and Add-ons

My Cylance json data is double extracted in Search and Reporting app, but it looks fine under Cylance app.

jenipherc
Splunk Employee
Splunk Employee

This is the search I did in both apps:

“index=cylance_protect sourcetype=device” 

And I have this in my props.conf for this device sourcetype.

props.conf 
.../etc/apps/cylance_protect/default/props.conf AUTO_KV_JSON = false 
.../etc/apps/cylance_protect/default/props.conf INDEXED_EXTRACTIONS = json 
.../etc/apps/cylance_protect/default/props.conf KV_MODE = none 

Currently, the Cylance app sharing is private.

Could you help me understand why, and how to fix it?

jenipherc
Splunk Employee
Splunk Employee

If the Cylance app sharing is private, that means when you search the sourcetype=device in Search and Reporting, it will not use some of the settings defined in the Cylance app.

Therefore, AUTO_KV_JSON=true and KV_MODE=auto which are the default settings for search-time extractions will be used in Search and Reporting app, causing the json data to be extracted again "search time" in addition to the Indexed-time extraction defined in INDEXED_EXTRACTIONS = json.

In order to fix it, change the Cylance app sharing to Global so that AUTO_KV_JSON = false and KV_MODE = none will be used when you search that outside of Cylance app. The double extraction shouldn't occur.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.