- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Add Logic to JSON Field Extraction
When extracting values from JSON fields and mapping them to CIM fields, you can use different types of logic to extract precise values. Rather than simple one-to-one mapping of one raw log field to one CIM field, you can add logic that will extract a value only if a specific condition is met. You can also add logic to extract only a specific granular portion of a value.
This type of logic can be implemented when you are creating a new custom parser and have reached the process of extracting mapped JSON fields. Two columns are available in the mapping table that allow you to add logic: Extraction Condition and Substring Regex. Follow the links below for more information about each type of logic:
Add an Extraction Condition
If you want to apply conditions to the way a field value from the raw log is extracted for mapping to a CIM field, insert a logical condition in the Extraction Condition column that will determine in what scenarios the mapping should take place. For instance, maybe you only want to map a value if it contains a specific word or if another field contains a specific value.
To implement such logic, define a condition in the Extraction Condition column that will determine in what scenarios the mapping should take place.
For example, on row 1 in the image below, the value from the eventCategory field in the raw log will only be mapped to the alert_name CIM field if the raw log value contains the word "Data". For a list of available expression functions you can use to condition the extraction, see Expressions for Extraction Conditions.
Note
For values extracted using an extraction condition, the extracted values appear listed above the log line in various colors but are not highlighted in the sample log line itself.
When the conditioned extraction field is mapped, it's displayed in the log line as shown in the image below.
Add a Substring Regex
If you want to extract a portion of a string value from the raw log, insert a regular expression in the Substring Regex column that will extract just the specified portion of the string value and map it to a CIM field. For instance, maybe your raw log contains a long, complex resource ID and you want to extract multiple portions of the raw log value and map them to different CIM fields.
To implement such logic, define a condition in the Substring Regex column that extracts a specific substring value from within a string and maps only that value to a CIM field.
For example, on row two in the image below, the condition in the Substring Regex column extracts a specific part of the resources[1].type field from the raw log. Specifically, it extracts only the S3 part of the value and maps it to the alert_type CIM field.
Note
For values extracted using a substring Regex, the extracted values appear listed above the log in various colors but are not highlighted in the sample log line itself.
Without the substring Regex condition, the full raw log value (AWS::S3::Bucket) would be mapped to the CIM field, instead of just S3. Note the difference in the mapped alert_type in the images below.
Without Substring Regex |
|---|
 |
With Substring Regex |
|---|
 |