- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Parser Dependencies
The Dependencies column on the Log Stream Parsers Overview tab provides feedback about the quality and completeness of parsers that are ingesting detection events. For easy reference, this information is provided directly in the parser list so that you don't need to enter an individual parser and follow the workflow to discover missing fields or detection rules.
Note
License Requirement
Currently, the Dependencies column is available only if you have the New-Scale Analytics license.
The Dependencies column can show the following types of information:
Empty – The parser does not include detection rules in the event builder.
– The parser is not missing any fields required by a detection rule.
– The parser is missing fields required by a detection rule. The number of missing fields is indicated next to the icon.
If a parser is missing fields required by a detection rule, you can click on the icon () in the Dependencies column to display a popup message with more information. A Detection quality issues message like the following image is displayed.
In the popup message, click on the View details link to open a detailed diagram that shows the relationship between the missing fields and the detection rules that depend on each missing field. As shown in the sample image below, the missing fields are listed on the left and the detection rules are listed on the right. The lines between them show which rules depend on each field.
In the diagram, you can highlight specific information by hovering your cursor over different elements. Hover over a specific missing field, over a specific detection rule, or over a specific line. The other information will fade so that the item you hover over is clearly visible. This can be useful when many fields are missing and the matching diagram becomes complex, as in the example below.
When you have identified fields that are missing, and the detection rules that depend on them, you can edit the parser to include the missing fields as follows:
If the parser is active, you will need to disable it before editing.
Select the Edit option for the parser you want to update.
Navigate to the Extract Fields step of the parser workflow.
Map the missing fields for extraction. (See Extract Event Fields.)
Update the Event Builder Rules, if necessary. (See Add Event Builder Rules.)
Review and Save the updated parser. (See Review and Save Parser.)