- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Reorder Regular Expressions
After you have used the methods above to generate regular expressions and map them to CIM fields, consider the order of rows in the Regular Expressions table in the UI. A parser evaluates its regular expressions against a log consecutively from top to bottom. Ensure that the regular expressions in the table at the top of the screen are in an order that correctly parses your logs.
You can edit the rows of regular expressions in the following ways:
– To change the order of the rows in the table, click the move icon on the left of a row and drag it to another location in the table.
– To edit a saved row, click the edit icon and make modifications to the field mapping.
– To remove a row, click the delete icon to remove the mapped field.
When you are satisfied with the order of the rows in the Regular Expressions table, review the matched fields and values as they are represented in the sample log line in the UI.
If you enter multiple regular expressions for the same field, the values that are parsed, but will not be extracted, are outlined under Sample Log Lines.