Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Parsing for Data Lake

Data Lake is designed to work with any log source and does not require a parser for much of its functionality. Data Lake can ingest, index, and search all logs even if they are not parsed.

Since parsing is a complex and resource intensive piece of the Data Lake pipeline, it may have some performance implications. Therefore, you should only use parsers where necessary. It is important to note that you can always go back in Data Lake and reparse old logs.

In Data Lake, you can do the following without a parser:

  • Send logs to Data Lake (ingest and index)

  • Set log retention

  • Perform string-based searches

  • Create rules on your data

  • Create certain reports and dashboards

    Note

    You are limited in the types of rules, reports, and dashboards you can create without a parser since you do not get the benefit of field values.

If the data is parsed, these additional features are available:

  • Field specific reports and dashboards

  • Field specific visualizations

  • Field specific rules

  • Add context to logs, which make them searchable