Parser Calibration Tiers
Exabeam defines how well an event is aligned to the Common Information Model by determining how many of the Core, Detection, and Information fields were extracted for each parsed log line.
This metric is aggregated for the previous 24 hours per parser, and the parser is then assigned to a Parser Calibration Tier based on this assessment according to the following formula:
Tier 1 - The log is parsed and an Event is built for more than 70% of the Core, Detection, and Informational fields in an event.
Tier 2 - The log is parsed and an Event is built for less than 70% of the Core, Detection, and Informational fields in an event
Tier 3 - The log is parsed but no Event is defined for this log type or Event Builder conditions are not met.
Tier 4 - The log is unparsed but available for search, correlation, and retention/storage.
The parser calibration tier panel, on the Parsers Overview tab of the Log Stream home page, displays a graphical representation of the calibration tiers assigned to all enabled parsers.
If a parser has a calibration tier assigned to it, this will be shown in the Parser Listing at the bottom of the Log Stream home page, on the Parsers Overview tab.
