Parser Field Descriptions
The following table lists and describes parser fields, and whether they apply differently to Data Lake and Advanced Analytics:
Field | Description | In Data Lake | In Advanced Analytics |
|---|---|---|---|
Name | The name of the parser. You will use this name when creating event builders. You will see this name in Each parser name must be distinct, or a parser with the same name that is seen previously in the configuration files will overwrite any parser that was previously read with the same name. | ||
Vendor | The name of the company or vendor that builds or sells the logging source. In the Parser Parameter Definition example, Office 365 is the log source that generates the activity logs, and Microsoft is the company that builds the product. | The value of this parameter will be in the vendor field, which will be indexed and searchable. | This is searchable from Threat Hunter. |
Product | The name of the product that generates these logs. | The value of this parameter will be in the product field, and will be indexed and searchable. | This value is searchable in Threat Hunter. |
Lms | This is an optional field used for parser management. It does not have any effect on the parsed log. In the previous example, Direct means the logs are being ingested via syslog directly from the log source, rather than a log management system. Other possible values are DataLake, Splunk, Qradar, and Arcsight, if one of these happens to be the log management systems forwarding logs to Advanced Analytics. | This field has no effect. | This field has no effect. |
DataType | Identifies the type of event the log represents. | The value of this parameter is used to classify and display the applicable event category in the Data Lake UI. | This field has no effect. |
TimeFormat | A regex-style definition of the structure of the parsed time field. Exabeam supports Unix timestamp formats for parsers, as well as any format that is Unix-readable. If the time field is parsed as a 10-digit number, such as epoch time, then the value for TimeFormat would be | ||
Conditions | A set of strings that be included in the logs for the parser to begin evaluating the log. The regexes will be compared against the log only if all conditions are met. | ||
Fields | All the regexes for this parser, where the fields are actually extracted. For any regex, you can parse as many fields as you want. In the previous example, some regexes parse multiple fields, such as the regex parsing | ||
ISHVF | Ishvf = IsHighVolumeFeed | This field is deprecated as of Advanced Analytics i46. For pre-i46 versions, set this to true ("Ishvf = true") if for the specific logs caught by that parser there is a large volume that is ingested by the ingestion engine and evaluated by that parser for those logs. | |
DupFields | This is an array that duplicates fields into new field names. It is much more performant than to duplicate the regex. In the previous example, "app" is already parsed by the regexes. You can also create a duplicate field called "resource" with the value of what "app" is parsed as. |