All Apps and Add-ons

Splunk Add-on for Bit9 Carbon Black: Why are syslog events not parsing into expected fields?

darlas
Communicator

Hi.

I've just configured Syslog to Splunk on Carbon Black server. Also, the TA has been installed on my Splunk servers.

The Carbon Black events are making it to Splunk as expected, but none of the fields are being parsed out. Since the Syslog event format is key=value pairs, I'd expect to at minimum get those parsed out.

Did I miss something in the setup? Anyone else with this problem?

Thanks.

1 Solution

darlas
Communicator

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

View solution in original post

darlas
Communicator

ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.

The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.

tpaulsen
Contributor

Which search mode did you pick in the search app? C

0 Karma

darlas
Communicator

Hi.

Search mode? Not sure what you mean.

I was just looking at the KV_MODE setting in props.conf provided in app and think it is wrong. It is set to JSON by default. I just changed it to AUTO and it seems to be working now.

There are a few events that are still not parsing quite right but mostly they are correct now.

Thanks!

0 Karma

ppablo
Retired

Hi @darlas

@tpaulsen was referring to this:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Changethesearchmode

So he was asking if you were running your search in Verbose, Fast, or Smart mode to adjust for speed/performance because Fast and possibly Smart mode will not return all fields.

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...