- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Parser Details Fields Tab
The Fields tab of the Parser Details panel shows all the fields this parser will attempt to extract.
The Field Definition section shows the number of Core, Detection, and Information fields that are defined for extraction per mapped activity type.
In this example you can see that of 22 defined fields, 21 are defined for extraction (8 Core, 9 Detection, 1 Informational, 1 Custom, and 2 Other). Scroll down to see exactly which fields are defined for extraction or are enriched.
Note
Identifying what Core, Detection, or Informational fields are missing for any given activity type, allows you to easily determine how well the parser adheres to the Common Information Model (CIM 2.0), and fine tune to improve the compliance.
There are certain fields that are enriched and are not extracted. These are identified in the list as Enriched and include product, vendor, outcome, subject, and activity_type.
