- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Customize a Default Parser
When you build a custom parser, based on a default Exabeam parser as a template, your custom parser will not update automatically when the default parser is refreshed by Exabeam.
You can customize a default parser, to add new field mapping or event builder rules, without creating a custom parser. This requires no additional effort to maintain the customizations, as they will automatically be updated when Exabeam refreshes their default parsers.
To customize a default parser:
On the Parsers Overview tab of the Log Stream home page, click the (
) menu on the default parser you wish to customize, and select Customize.Add sample log lines, change the parser conditions, activity type, time format, associated vendor and product, field mapping, and event builder rules. Click Next at each step, until you reach the last step.
Note
See Create a Custom Parser for detailed information about each step.
Click Finish.