- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Generate a Regular Expression from a List of Keys
To generate a new regular expression from a list of keys:
In the Regular Expression table at the top of the screen, start in the Key in Raw Log column by clicking Select in the Key field of row 1. The Select a Field dialog box opens and lists all of the key/value pairs found in the sample log.
Scroll through the listed key/value pairs to find the first field you want to map. Click to select it and then click Select key. The selected key appears in the Key field of row 1.
In the Maps to Field column in row 1, select a CIM field from the drop down menu that you want to map the key to. The options are listed according to whether they are core, detection, or informational fields for the specified activity type. You can also click + New field at the bottom of the list and create a custom field.
After you select a field, a regular expression corresponding to the mapped field is displayed in the Regular Expression column.
To save the first regular expression, click the check at the far right side of row 1. The field mapping is saved. You can check the Sample Log Lines section at the bottom of the page, to see if the mapped field extracts any value from the sample log. Mapped values appear highlighted in various colors..
In the % LINES column, verify the percentage of log lines from which the regular expression extracted a value.
To map another field, click + New Regular Expression. A new row appears in the table.
Repeat the process to select a key field, map it to a CIM field, and click the check to save the field mapping.
Continue to add regular expression rows until you have mapped all of the core fields and any of the detection, informational, or custom fields you think will be useful.
After you have selected all of the necessary fields for extraction, ensure the fields are in the correct order, review the matching event type fields and log values, then continue building your custom parser by configuring event builders.