- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Expressions for Extraction Conditions
The chart below describes the functions that can be used to condition the extraction of field values from a JSON-formatted raw log.
Function | Description | Inputs | Example / Result |
|---|---|---|---|
and(e1, ..., en) | Extracts a value when all of the included Boolean expressions evaluate to true. | e = a Boolean expression | Example: and(contains("Exabeam","Exa"), endsWith("Exabeam","beam")) Result: The value is extracted if both of the following are true:
|
beginsWith(s, prefix) or startsWith(s,prefix) | Extracts the string value if it begins with the specified prefix. | s = a string prefix = the specified prefix (case sensitive) | Example: beginsWith("Exabeam","Exa") Result: The value is extracted because the string "Exabeam," is prefixed by "Exa". |
beginsWithAny(s, v1, v2, v3, ...) or startsWithAny(s, v1, v2, v3, ...) | Extracts the string value if it begins with any of the specified prefixes. | s = a string v1, v2, v3 = the specified prefixes (case sensitive) | Example: beginsWithAny($.vendor,"Exa","Log") Result: The value of the vendor field is extracted if it starts with either "Exa" or "Log". |
contains(s, s1) | Extracts a value if the Boolean test confirms that string s contains substring s1. | s = a string s1 = a substring | Example: contains("Exabeam","be") Result: Extracts the value "Exabeam" because it contains the substring "be." |
containsAny(s, s1, ..., sn) | Extracts a value if the Boolean test confirms that string s contains any of the specified substrings. | s = a string s1 - sn = specified substrings | Example: containsAny($.vendor,"Exa","Log") Result: The value of the vendor field is extracted if it contains either "Exa" or "Log." |
endsWith(s, suffix) | Extracts the string value if it ends with the specified suffix. | s = a string suffix = the specified suffix | Example: ends_with($.hostname, "$") Result: The value of the hostname field is extracted if it ends with "$". |
endsWithAny(s, v1, v2, v3...) | Extracts the string value if it ends with any of the specified suffixes. | s = a string v1, v2, v3 = the specified suffixes (case sensitive) | Example: endsWithAny($.vendor,"beam","rhythm") Result: The value of the vendor field is extracted if it ends with either "beam" or "rhythm". |
isIP(s) | Extracts a value if string, s, is an IPv4 or IPv6 address. | s = a string | Example: isIP($.sourceIPAddress) Result: Extracts the value of the source IP address field if it is an IPv4 or IPv6 address. |
isIPv4(s) | Extracts a value if string, s, is an IPv4 address. | s = a string | Example: isIPv4($.sourceIPAddress) Result: Extracts the value of the source IP address field if it is an IPv4 address. |
isIPv6(s) | Extracts a value if string, s, is an IPv6 address. | s = a string | Example: isIPv6($.sourceIPAddress) Result: Extracts the value of the source IP address field if it is an IPv6 address. |
isAnyLocal(s) | Extracts a value if string, s, is an any local address: 0.0.0.0 or ::0 | s = a string | Example: isAnyLocal($.src_host) Result: Extracts the value of the source host field if it is a local address. |
isLinkLocal(s) | Extracts a value if string, s, is a link local address: 169.254.1.0 - 169.254.255.255, fe80::, etc. | s = a string | Example: isLinkLocal($.src_host) Result: Extracts the value of the source host field if it is a ink local address. |
isLoopback(s) | Extracts a value if string, s, is a loopback address: 127.0.0.0 - 127.255.255.255, ::1, etc. | s = a string | Example: isLoopback($.src_host) Result: Extracts the value of the source host field if it is a loopback address. |
isMulticast(s) | Extracts a value if string, s, is a multicast address: 224.0.0.0 - 239.255.255.255 | s = a string | Example: isMulticast($.src_host) Result: Extracts the value of the source host field if it is a multicast address. |
isSiteLocal(s) | Extracts a value if string, s, is a site local address: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255, etc. | s = a string | Example: isSiteLocal($.src_host) Result: Extracts the value of the source host field if it is a site local address. |
inList(x, v1, v2, v3...) | Extracts a value if the argument, x, matches any of the values in the specified list. | x = a number v1, v2, v3 = values in the specified list | Example: inList($.eventVersion,"1.06","1.07","1.09") Result: Extracts a value if the event version field matches any of the listed values. |
not(expr) | Extracts the value of a field if it does not match the specified expression. | expr = the specified expression | Example: not(contains($.vendor,"Exa") Result: The vendor field value will be extracted only if it does not contain "Exa". |
or(e1, ..., en) | Extracts a value when any of the included Boolean expressions evaluate to true. | e = a Boolean expression | Example: or(contains("Exabeam","Exa"), endsWith("Exabeam","beam")) Result: The value is extracted if either of the following are true:
|