- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Extract Fields Using Regular Expressions
For each field you want to extract, enter a regular expression. To help validate the expression, you can also enter a key.
You can enter a regular expression using either JRegex or Perl Compatible Regular Expressions (PCRE) syntax. Keep in mind that both LIME and the Data Lake Parsing Engine only work with parser and event builder files that use JRegex syntax. If you enter a regular expression using PCRE syntax, Auto Parser Generator automatically converts it into JRegex syntax in the background so the parser and event builder file created at the end of this process uses JRegex syntax.
There are three ways to enter a regular expression for a field:
Generate a regular expression directly from a value in the sample log
Manually enter a regular expression or key – You can also use this method to edit a regular expression you created using the other two methods.
After you have mapped all of the necessary fields for extraction, ensure the fields are in the correct order, review the matching event type fields and log values, then continue building your custom parser by configuring event builders.