- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Extract Mapped JSON Fields
If your sample log is in JSON format, the Parser Manager selects the JSON Mapped fields option in the Extraction type field. However, if you prefer to use regular expressions, you can select the Regular Expressions option and continue with the procedure in Extract Fields Using Regular Expressions.
Benefits of Extracting Mapped JSON Fields
With JSON, the data is represented in key/value pairs, which makes it simpler to map them to the appropriate Exabeam common information model (CIM) fields. In contrast, when using regular expressions, you have to identify the keys and values separately, which complicates the process of mapping to CIM fields.
JSON is more elastic and flexible than regex, which makes it well suited to handling the high degree of configurability present in modern cloud-based log sources. JSON doesn't care about the order of fields in a log, or if there are more or less fields than expected. In contrast, Regular expressions are tightly coupled to the format of the log. If the fields appear in a different order, the regex will break and the parser will fail.
The ability to leverage native JSON adds to the stability of the parsers in the system.
Methods for Mapping JSON Fields
There are three way to map a JSON field to a CIM field. Follow the links below for detailed procedures:
Manually enter JSON path expressions – This method can be used to map any expression, but if you need to map expressions to an array object, this is the only method you can use.
After you have selected all of the necessary fields for extraction, ensure the fields are in the correct order, review the matching event type fields and log values, then continue building your custom parser by configuring event builders.