This message originated from Cribl Community Slack.
Click here to view the original link.
Darktrace - Has anyone managed to parse the JSON syslog and convert directly to JSON? _raw:
<165>Feb 16 14:56:36 darktrace.temp.com darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5,"pid":0,"uuid":"659ec8ad-80e8-4182-a7b6-28e0d08260e5","category":"Informational","compliance":false},"device":{"ip":"0.1.2.3","hostname":"test-device.example.com","macaddress":"00:11:22:33:44:55","vendor":"Test Vendor","label":"Test Device","did":0,"sid":0,"uuid":"79e50b72-50b3-449a-ss29-788ac44a9e0f"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"sourceIP":"0.1.2.3","percentScore":100,"breachUrl":"","pbid":123,"score":1,"creationTime":1771253796966,"time":1771253796966,"mitreTechniques":[]}
The <165>Feb 16 14:56:36 darktrace.temp.com darktrace part needs removing as this is not part of JSON
Solved
Darktrace JSON Parsing Issue: Remove Non-JSON Syslog Header From Input
Best answer by David Maislin
Or Eval:
Links for this message:
Screenshot 2026-02-16 at 9.34.04 AM.png
_raw.replace(/^(.+?)({.+)/,'$2')Links for this message:
Screenshot 2026-02-16 at 9.34.04 AM.png
Or Eval:
Links for this message:
Screenshot 2026-02-16 at 9.34.04 AM.png
_raw.replace(/^(.+?)({.+)/,'$2')Links for this message:
Screenshot 2026-02-16 at 9.34.04 AM.png
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.