Adding a Data Model in Raw Mode

You can add a new data model that can be activated to analyze results in the normalized format. All enabled models can be searched using the source filter from the Search tab.

Prerequisites

This option is for advanced users who understand JSON syntax to create a new parsing rule. If otherwise, use the graphical mode to create new data model. For details, see Adding a Data Model in Graphical Mode.

Procedure

  1. Navigate to the Management > Advanced Features > Data Models menu.
  2. From the Models page, click to add a new data model.
  3. Click Switch to raw mode to add a new model in raw mode.
  4. In the Sample events panel, paste the sample events to analyze data in normalized format. This data can be helpful in defining the parsing rule based on the log source. Once you add the data model, the sample data is always available when editing the same data model or associated parsing rules.
    Note: You can paste maximum of 100 KB sample data.
  5. In the Raw configuration mode panel, enter the parsing rule. Ensure to define source filter, parsing rule, and parser properties in a valid JSON syntax, as follows:
    {
    "sourceConfig": {
    "name": "SourceConfiguration_1",
    "active": "true",
    "sourceFilter": "",
    "parsingRules": [],
    "columns": [
    {
    "name": "sys_eventTime",
    "type": "TIMESTAMP"
    },
    {
    "name": "sys_body",
    "type": "STRING"
    },
    {
    "name": "sys_bodySize",
    "type": "INT"
    },
    {
    "name": "sys_collectTime",
    "type": "TIMESTAMP"
    },
    {
    "name": "sys_sourceType",
    "type": "INT"
    },
    {
    "name": "sys_collectIP",
    "type": "INET_ADDR"
    },
    {
    "name": "sys_sourceDnsName",
    "type": "STRING"
    },
    {
    "name": "sys_filename",
    "type": "STRING"
    },
    {
    "name": "sys_collectIPZone",
    "type": "STRING"
    }
    ]
    }
    }
  6. Click Validate to ensure that the rule syntax is valid. Click Format to format the JSON.
  7. Click to refresh the Parser preview panel to view all extracted columns and their data types that are matched by the defined parsing rule. Click in the Type field to change the supported data types and select the data type from the list.
    Note: This option is available only when the data is pasted in the Sample events panel and at least one parsing rule is enabled.
  8. Click Save to add a new data model. The Models page displays the newly added model.