- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Parser List
All parsers currently active in the pipeline, both custom and default Exabeam parsers, are listed at the bottom of the Parsers Overview tab on the Log Stream.
Note
The total number of parsers in the list are shown next to the gear icon. This number changes as you filter the parsers.
You can interact with the parser list in the following ways:
Click the gear icon (
), to group the parsers by vendor.Enter a simple text search in the search bar to find specific parsers.
Click Reorder to change the order in which the custom parsers will be applied to the data.
Click Import to import a parser.
Click Export to export all parsers and events builders.
Click +New Parser to create a new custom parser.
To sort the parser list, hover over any column heading and click the descending arrow (
). Click again to resort in the other direction. To filter the parser list, click the filter icon (
) on the following column headings: TYPE, VENDOR, PRODUCT, EVENT, EXTRACTION TYPE, PARSER CALIBRATION TIER, STATUS, and HEALTH.Use the Dependencies column to investigate the quality and completeness of parsers that ingest detection events. The column indicates how many fields are missing from a parser whose event builder includes detection rules. Click the column value to view a popup with information about the detection quality issues. In the popup, click the View details link to open a graph with specific information about each missing field and the detection rules that depend on it. For move information, see Parser Dependencies.
Note
License Requirement
Currently, the Dependencies column is available only if you have the New-Scale Analytics license.
Use the menu (
) at the end of each row to to View Details, Edit, Duplicate, Disable, Enable, Delete, or Export a particular parser.Note
For custom parsers, Disable and Enable will only show on the menu of completed parsers.