All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing Harmony Logs

fraserphillips
Engager
‎04-15-2025 01:43 PM

Our Checkpoint Harmony logs aren't reviewed to often, today I went to look for something, and noticed nothing is parsed.  Going back in the logs, it appears sometime in March, the stream of data coming in drastically changed.  Might be more data coming from Checkpoint Harmony server compared to previously.  I'm trying to create custom field extractions on this data but it keeps crashing the wizard.  Just curious if anyone has any suggestions?  Thanks!

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 02:34 PM

Hi @fraserphillips 

Out of interest, did you make any upgrades or changes around March? 

In terms of extracting the fields, if you arent having any joy with the wizard then if you know the values you can add these ":by hand" in either props/transforms.conf files or in the Fields page of the Splunk UI, where you can create field extractions/aliases/transforms etc

https://yourSplunkinstance/en-US/manager/search/fields

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

fraserphillips
Engager
‎04-29-2025 06:47 AM

Sorry I thought I replied earlier.  There were no major changes made at that time.  The data flowing inbound had made a drastic change, breaking the parsing expressions at that time.

I found initially just using built-in json parsing wasn't working properly, but after massaging the data by dropping some leading characters in the data stream, that worked alot better now.  I don't have the particulars to provide at the moment, but this data is parsable without the need to manually specify regex expressions for each field, or create custom field extractions.

Thanks for your message!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...