All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Bit9 Carbon Black: Why are syslog events not parsing into expected fields?

darlas
Communicator
‎11-13-2015 12:03 PM

Hi.

I've just configured Syslog to Splunk on Carbon Black server. Also, the TA has been installed on my Splunk servers.

The Carbon Black events are making it to Splunk as expected, but none of the fields are being parsed out. Since the Syslog event format is key=value pairs, I'd expect to at minimum get those parsed out.

Did I miss something in the setup? Anyone else with this problem?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

darlas
Communicator
‎11-13-2015 02:40 PM

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

View solution in original post

Reply
Solved! Jump to solution
Solution

darlas
Communicator
‎11-13-2015 02:40 PM

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

Reply
Solved! Jump to solution

tpaulsen
Contributor
‎11-13-2015 12:59 PM

Which search mode did you pick in the search app? C

0 Karma
Reply
Solved! Jump to solution

darlas
Communicator
‎11-13-2015 01:05 PM

Hi.

Search mode? Not sure what you mean.

I was just looking at the KV_MODE setting in props.conf provided in app and think it is wrong. It is set to JSON by default. I just changed it to AUTO and it seems to be working now.

There are a few events that are still not parsing quite right but mostly they are correct now.

Thanks!

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎11-13-2015 02:11 PM

Hi @darlas

@tpaulsen was referring to this:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Changethesearchmode

So he was asking if you were running your search in Verbose, Fast, or Smart mode to adjust for speed/performance because Fast and possibly Smart mode will not return all fields.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...