Skip to main content
Solved

Is anyone else having trouble with the JOURNALD parser that doesn't normalize event fields to UDM?

  • October 6, 2025
  • 2 replies
  • 58 views
ar3diu
Forum|alt.badge.img+9

All Journald fields end up in the extracted_fields.

https://cloud.google.com/chronicle/docs/ingestion/parser-list/journald-changelog

Best answer by cmmartin_google

A parser updated was recently added and is expected to start rolling out from the 7th October onwards that will normalize those JOURNALD added fields.

2 replies

C
Staff
Forum|alt.badge.img+12

A parser updated was recently added and is expected to start rolling out from the 7th October onwards that will normalize those JOURNALD added fields.

    ar3diu
    Forum|alt.badge.img+9
    • ar3diuSilver 2
    • Author
    • Silver 2
    • October 14, 2025

    ​@cmmartin_googleΒ Is there anything we should do to get the update?

    I checked the logs this morning and the `metadata.parser_version = "1.0"`. Also, no updates in the docs page:Β https://cloud.google.com/chronicle/docs/ingestion/parser-list/journald-changelogΒ 

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.