Hi,
I analized Darktrace dashboard queries and my current json syslog is not including fields "breachUrl" or "modbreachUrl".
In most of queries is written .... | eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl | ... and this makes empty all queries because is deleting all logs without breachUrl and modbreachUrl
Try to add manually the flag keepempty=true to not to delete logs with these empty fields.
To make it works, all dashboard queries should add this anytime dedup appears:
| eval darktraceUrl = coalesce(breachUrl,modbreachUrl) | dedup darktraceUrl keepempty=true |
... View more