Splunk® Supported Add-ons

Splunk Add-on for Check Point Log Exporter


Troubleshoot

Keys not extracting due to large events

Splunk has a default limit of resources which are used to parse events. If events are too large the regex will stop parsing the keys value pairs in the events. If that happens, the resource limit needs to be increased so that the parsing continues. Increase the depth_limit in transforms.conf by following these steps: If your events are ingested in cp_log sourcetype, increase the depth_limit for the kv_cp_log_format

[kv_cp_log_format]
FORMAT = $1::$2
REGEX = ([a-zA-Z0-9_-]+):?=([^|]+)
MV_ADD = true
DEPTH_LIMIT = 200000

If your events are ingested in cp_log:syslog sourcetype, increase the depth_limit for the kv_cp_log_format

[kv_cp_syslog_log_format]
FORMAT = $1::$2
REGEX = ([a-zA-Z0-9_-]+):?="((?:[^"\\]|\\.)+)"
MV_ADD = true
DEPTH_LIMIT = 200000
Last modified on 15 February, 2024
Configure inputs   Lookups for the Splunk Add-on for Check Point Log Exporter

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters