My Cylance json data is double extracted in Search...

jenipherc · ‎06-29-2018

This is the search I did in both apps:

“index=cylance_protect sourcetype=device”

And I have this in my props.conf for this device sourcetype.

props.conf 
.../etc/apps/cylance_protect/default/props.conf AUTO_KV_JSON = false 
.../etc/apps/cylance_protect/default/props.conf INDEXED_EXTRACTIONS = json 
.../etc/apps/cylance_protect/default/props.conf KV_MODE = none

Currently, the Cylance app sharing is private.

Could you help me understand why, and how to fix it?

jenipherc · ‎06-29-2018

If the Cylance app sharing is private, that means when you search the sourcetype=device in Search and Reporting, it will not use some of the settings defined in the Cylance app.

Therefore, AUTO_KV_JSON=true and KV_MODE=auto which are the default settings for search-time extractions will be used in Search and Reporting app, causing the json data to be extracted again "search time" in addition to the Indexed-time extraction defined in INDEXED_EXTRACTIONS = json.

In order to fix it, change the Cylance app sharing to Global so that AUTO_KV_JSON = false and KV_MODE = none will be used when you search that outside of Cylance app. The double extraction shouldn't occur.

My Cylance json data is double extracted in Search and Reporting app, but it looks fine under Cylance app.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!