Edit a Custom Parser
Use these instructions to edit an existing custom parser, or to finish an incomplete parser.
If you leave while creating a parser, the incomplete parser appears in the list of parsers with a status of Draft. Edit the parser to resume your work. When you're creating or editing a parser, your progress is saved after each step and after you change anything.
Note
You cannot edit an enabled parser, you must first disable the parser before you can edit it.
As reprocessing missed logs can be a concern, we recommend the following approach:
Duplicate the parser you wish to edit, and enable it.
Disable and edit the old parser.
Enable the newly edited parser.
Disable and remove the duplicated parser.
On the Parsers Overview tab of the Log Stream home page, click the
menu on the custom parser you wish to edit, and then select Edit.Note
If you are editing an incomplete parser with a status of Draft, you will be taken to the point in the creation process where the process was stopped. See Create a Custom Parser for information on how to continue creating this parser.
If you imported a parser, import sample logs that represent the type of information Advanced Analytics typically ingests. These sample logs ensure that you create a parser that properly extracts this information.
To select a log file from your file system, select Add a file, then drag and drop a file or click Select a File. You may upload a
.gzor.tgzfile that is no more than 100 MB.To copy and paste logs, select Copy and paste raw logs, then paste the content into the text box. You may enter up to 100 lines.
Click Find Matching Logs.
Change the parser conditions, activity type, time format, associated vendor and product, field mapping, and event builder rules. Click Next at each step, until you reach the last step.
Note
See Create a Custom Parser for detailed information about each step.
Click Finish.