- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Generate a Regular Expression Directly from a Value in the Sample Logs
To generate regular expression by selecting from the already tokenized values in the sample log:
In the Sample Log Lines section at the bottom of the screen, click on one of the tokenized values highlighted in grey. A Map Token to Event Field dialog box opens.
In the dialog box, use the drop down menu to select the CIM field you want to map the tokenized value to. The options are listed according to whether they are core, detection, or informational fields for the specified activity type. You can also click + New field at the bottom of the list and create a custom field.
Click Map Extraction to save the mapping.
Check on the following after you save the mapping:
In the table of mapped regular expression fields at the top of the screen, ensure that a new row has been added. It should include the tokenized value you selected, the CIM field you mapped it to, and the regular expression that defines it.
In the % LINES column of the same table, verify the percentage of log lines from which the regular expression extracted value.
In the Sample Log Lines section at the bottom of the screen, ensure that the mapped field extracts the appropriate value from the sample log. Mapped values appear highlighted in various colors.
Repeat the process to select another tokenized value from the sample log, select a CIM field, and click Map Extraction to save the field mapping.
Note
In some cases, the host and time fields may be required but you can't find appropriate values in the sample log. In such cases, if the sample log was retrieved from a SIEM, like Advanced Analytics, you can manually enter a regular expression using special keys.
Continue to select and map tokenized values until you have mapped all of the core fields and any of the detection, informational, or custom fields you think will be useful.
After you have selected all of the necessary fields for extraction, ensure the fields are in the correct order, review the matching event type fields and log values, then continue building your custom parser by configuring event builders.