Hi.
I've just configured Syslog to Splunk on Carbon Black server. Also, the TA has been installed on my Splunk servers.
The Carbon Black events are making it to Splunk as expected, but none of the fields are being parsed out. Since the Syslog event format is key=value pairs, I'd expect to at minimum get those parsed out.
Did I miss something in the setup? Anyone else with this problem?
Thanks.
ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.
The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.
ah thanks for clarification. Just the default search mode when running adhoc search. I think that is called Smart Mode.
The issue was the KV_MODE setting in props.conf. The syslog events were not in JSON format so changine KV_MODE to AUTO resolved the issue.
Which search mode did you pick in the search app? C
Hi.
Search mode? Not sure what you mean.
I was just looking at the KV_MODE setting in props.conf provided in app and think it is wrong. It is set to JSON by default. I just changed it to AUTO and it seems to be working now.
There are a few events that are still not parsing quite right but mostly they are correct now.
Thanks!
Hi @darlas
@tpaulsen was referring to this:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Changethesearchmode
So he was asking if you were running your search in Verbose, Fast, or Smart mode to adjust for speed/performance because Fast and possibly Smart mode will not return all fields.