All Apps and Add-ons

Splunk Add-on for Bit9 Carbon Black: Why are syslog events not parsing into expected fields?

darlas
Communicator

Hi.

I've just configured Syslog to Splunk on Carbon Black server. Also, the TA has been installed on my Splunk servers.

The Carbon Black events are making it to Splunk as expected, but none of the fields are being parsed out. Since the Syslog event format is key=value pairs, I'd expect to at minimum get those parsed out.

Did I miss something in the setup? Anyone else with this problem?

Thanks.

1 Solution

darlas
Communicator

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

View solution in original post

darlas
Communicator

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

tpaulsen
Contributor

Which search mode did you pick in the search app? C

0 Karma

darlas
Communicator

Hi.

Search mode? Not sure what you mean.

I was just looking at the KV_MODE setting in props.conf provided in app and think it is wrong. It is set to JSON by default. I just changed it to AUTO and it seems to be working now.

There are a few events that are still not parsing quite right but mostly they are correct now.

Thanks!

0 Karma

ppablo
Retired

Hi @darlas

@tpaulsen was referring to this:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Changethesearchmode

So he was asking if you were running your search in Verbose, Fast, or Smart mode to adjust for speed/performance because Fast and possibly Smart mode will not return all fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...