Adding a Parsing Rule

You can add one or more parsing rules that define how to parse log events.

1. Paste the sample log data in the Sample events panel.
   This data can be helpful in defining the parsing rule based on the log source. After saving the data model, the sample data is always available when editing the same data model or associated parsing rules.

   Note: You can paste a maximum of 100 KB sample data.
2. In the Parsing rules panel, click Add new rule to add a new parsing rule.
   You can add multiple rules for the same data model.
3. In the Name field, enter the name of the rule.
   The name must contain an alphanumeric character. It can also contain an underscore (_) and hyphen (-).
4. To enable the parsing rule, ensure that the slider is set to ON. To disable the rule, click the slider to OFF.
5. In the Filter field, enter the filter that is assigned to the parsing rule. All regular expression patterns are supported.
   Note: If you do not define the filter, all events are matched with this rule. Parsing rules that are listed after such parsing rule are ignored.

   
6. From the Choose parser list, select the type of parser you want to use: Key-Value, JSON, XML, Columnar, Regex, CEF, and Syslog.
   Depending upon the selected parser, you must provide additional information in various fields: see Parsers and Field Description.
7. To extract columns based on the parser type, click Auto generate columns.
   All custom columns are extracted in the Manage columns for this rule panel. You can add, edit, or delete custom columns. To add a column, click . To edit any values, click inside the Column and Expression fields. Hover over the row, and the Delete button is displayed on the right side of the row for you to delete the column.
   • Column: The name of the column that is displayed in the results. Click in the row to add or update any column name. The content assist shows contextual matches of the existing custom column names for you to select.
     Note: Two columns cannot have the same name. Column names are not case sensitive. When defining column names, follow the guidelines described in the COLUMNS Statement section.
   • Expression: Define how to map values extracted by parser into defined columns. You can use arithmetic operators and conversion functions when defining an expression. The conversion functions are typically used when you need to define new columns where the expressions for new columns can use conversion functions to convert between data types and combine them using various operators.
     • For details about the arithmetic operators, see FILTER Statement.
     • For conversion functions, see Predefined EQL Functions.
     • The type of expression depends on the parser type: see Parsers and Field Description.
8. To refresh the Parser preview panel to view all extracted columns and their data types that are matched by the corresponding parsing rule, click .
   Each event that matches with the corresponding rule is identified in the same color for easy readability. For custom columns, click in the Type field to change the supported data type. Select the data type from the list.

   Note: This option is available only when the data is pasted in the Sample events panel and at least one parsing rule is enabled.
   
9. To add the new parsing rule, click .
   The Parsing rules panel displays the newly added rule.
10. To manage columns, click 3. Review configuration or click located on the right side of the page.
    For more information, see Managing Columns.