- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Define a Subset of the Sample Logs
After the sample logs are analyzed, the conditions in the sample logs are compared with those in existing parsers, and identifies a match if the conditions are similar. Identifying similar existing parsers helps extract information about the sample logs correctly.
Once the sample logs have been analyzed and matched to existing parsers, you must decide which subset of the logs you want to create a parser for:
Using logs that match an existing parser you want to duplicate and modify
In the Matching Parsers section of the page, under the Matching Parsers tab, review the existing parsers that match the sample logs. If there are a large number of parsers, reduce the list in one of the following ways:
Filter the list of matching parsers by using the drop down menus at the top of the list for Type, Vendor, and Event.
Note
For information about the available parser type categories, see Parser Types.
Use the Search bar to further narrow the number of matching parsers in the list.
(Optional) Ensure that the matched parser is parsing your sample logs correctly. Although parser conditions are used to match parsers to your sample logs, parsers use regular expressions to extract values from the logs, not conditions. Even if parser conditions match the sample logs, its regular expressions may extract values incorrectly.
To check the parsing details for a specific matched parser:
Click View Parser Details to the right of the parser you want to check. The Parser Details screen is displayed.
In the middle of the Parser Details screen, click the Fields tab. You can view which fields the parser is configure to extract values for and information about the fields.
In the middle of the Parser Details screen, click the Extraction Preview tab. You can examine the extracted field matches in the following ways:
To view the fields that have a matching value in every log, select Matches above the log line display. Ensure that the parser has extracted log values to the appropriate event type field. For example,
src_ipshould contain an IP address. Click the arrow to view the matching values highlighted in the raw log.
To view the fields that don't have a matching value in every log, select Non-matches.
To view which log values match the parser conditions, select the CONDITIONS tab. Each log is numbered and the matched log values are listed.
When you display the parser, category, and categorization contents in the Configuration Files section, the configuration fields are a preview of the package contents.
To edit the matched parser, select Edit, and then skip to Step 7.
To download the matched parser and event builder, click Download.
Click + New Parser in the In the Matching Parsers section of the page.
The Add Conditions page appears.
Using logs that don't match any existing parsers
Click the Log lines that don't match a parser tab.
Review the log lines that didn't match any existing parsers.
Click Create new parser.
The Add Conditions page appears.