- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Parser Types
Exabeam categorizes parsers in Log Stream by type, according to where they originated and how they can be handled. These parser type categories are useful for filtering a list of parsers when you are looking for a specific individual parser or set of parsers. Log Stream parser types include the following:
Default Parsers – These are pre-built Exabeam parsers. Exabeam delivers updates to these parsers via Content Packages. You cannot modify these parsers but you can customize them.
Custom Parsers – These are parsers that have been created in, or imported into, your Log Stream environment. You have full control to modify or delete them.
Customized Default Parsers – These are default parsers that you have customized in Log Stream by using the Customize option to add new fields or event builders. When Exabeam pushes updates to the parser via a new Content Package, your customizations are retained. You can modify but not delete these parsers. - Custom Default Parsers – These are a specific set of customized parsers that were migrated from legacy products. The parsers in this category were created for use in your legacy product environments. When a customization was needed in the legacy product, the default parser was duplicated and customized. Exabeam helped to migrate these parsers into Log Stream via the special custom default categorization. In Log Stream, they are treated like default parsers with one exception: Exabeam does not deliver updates to these parsers. If you further modify these parsers in Log Stream, they become customized default parsers ().
Important
The Custom Default categorization ensured that no existing parser with the same name was overwritten during the migration to Log Stream. It was also an indication that the parser had come from a previous deployment. However, this special category of parsers has led to some complications in parser management.
Parsers in this category retain the same parser name as the corresponding default parsers and share event builders as well. But they are treated as custom parsers that are never updated, resulting in the presence of old and stale parsers in Log Stream. These out-of-date parsers often have higher priority levels than the corresponding default parsers. So, even though a default parser has been kept up-to-date via regular content package updates, it becomes disabled while the outdated custom default parser with the higher priority continues in use.
To resolve these issues, the Custom Default parser category will be discontinued in favor of a simpler, more streamlined approach to customizing default parsers. In January of 2026, Exabeam will begin, one region at a time, removing the custom default parsers from Log Stream. As these parsers are removed, the corresponding default parsers will become enabled. Exabeam will provide notifications in each region before beginning to remove the custom default parsers.
What do I need to do? – If you rely on any of the custom default parsers in your Log Stream environment and you want to retain the customizations they contain, you need to identify them and manually add the same customizations to the corresponding default parser. Use the following procedure:
To identify these parsers, filter the Type column by
CustomDefault. Each of the parsers in the resulting list includes thev2.0.0designation in the parser name.Select a parser and copy the name - up to the
v2.0.0designation.Clear the Type column filter and paste the copied parser name into the Search field at the top of the list.
Both the default and the custom default parser with the same name will be displayed.
As shown in the image below, the default parser, with the
v1.0.0designation, is more recently updated than the custom default parser with thev2.0.0designation. Notice also that the custom default parser has the higher priority (lower number in the # column on the left). Because of the difference in priority number, the more up-to-date default parser is disabled, while the out-of-date custom default parser is enabled.
Manually customize the default parser with the desired modifications. For more information, see Customize a Default Parser.
Save the customized parser. The new parser is displayed as a customized default parser (
).Repeat this procedure for each custom default parser whose customizations you want to retain.
When the process of removing custom default parsers is completed, three clear categories of parsers will remain: default parsers, custom parsers, and customized default parsers.
Default – Pre-built parsers that are provided by default with Log Stream.
Custom – Parsers that you create from scratch in, or import into, Log Stream.
Customized Default – Default parsers that you add customizations to in Log Stream.