All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing Harmony Logs

fraserphillips
Engager
‎04-15-2025 01:43 PM

Our Checkpoint Harmony logs aren't reviewed to often, today I went to look for something, and noticed nothing is parsed.  Going back in the logs, it appears sometime in March, the stream of data coming in drastically changed.  Might be more data coming from Checkpoint Harmony server compared to previously.  I'm trying to create custom field extractions on this data but it keeps crashing the wizard.  Just curious if anyone has any suggestions?  Thanks!

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-15-2025 02:34 PM

Hi @fraserphillips 

Out of interest, did you make any upgrades or changes around March? 

In terms of extracting the fields, if you arent having any joy with the wizard then if you know the values you can add these ":by hand" in either props/transforms.conf files or in the Fields page of the Splunk UI, where you can create field extractions/aliases/transforms etc

https://yourSplunkinstance/en-US/manager/search/fields

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

fraserphillips
Engager
‎04-29-2025 06:47 AM

Sorry I thought I replied earlier.  There were no major changes made at that time.  The data flowing inbound had made a drastic change, breaking the parsing expressions at that time.

I found initially just using built-in json parsing wasn't working properly, but after massaging the data by dropping some leading characters in the data stream, that worked alot better now.  I don't have the particulars to provide at the moment, but this data is parsable without the need to manually specify regex expressions for each field, or create custom field extractions.

Thanks for your message!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...