- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Parser Calibration Tiers
Exabeam defines how well an event is aligned to the Common Information Model by determining how many of the Core, Detection, and Information fields were extracted for each parsed log line.
This metric is aggregated for the previous 24 hours per parser, and the parser is then assigned to a Parser Calibration Tier based on this assessment according to the following formula:
Tier 1 - The log is parsed and an Event is built for more than 70% of the Core, Detection, and Informational fields in an event.
Tier 2 - The log is parsed and an Event is built for less than 70% of the Core, Detection, and Informational fields in an event
Tier 3 - The log is parsed but no Event is defined for this log type or Event Builder conditions are not met.
Tier 4 - The log is unparsed but available for search, correlation, and retention/storage.
The parser calibration tier panel, on the Parsers Overview tab of the Log Stream home page, displays a graphical representation of the calibration tiers assigned to all enabled parsers.
If a parser has a calibration tier assigned to it, this will be shown in the Parser Listing at the bottom of the Log Stream home page, on the Parsers Overview tab.
