Parsers

Parsers enable you to extract and manipulate raw events (non-CEF data) from different sources in your network environment. Once you have parsed event fields, you can easily search for data, chart it, and perform other operations on it. One user with in-depth knowledge of the events can create the parser, and then all users who look at those events will get the benefit of that work.

Parsers provide you with a simple way to read events. Instead of looking at raw event data and trying to figure out what it means, you can use a parser to extract portions of non-CEF events into fields. However, the fields created by the parser are available only for search operations, and are not added to the Logger schema.

You can use a parser either of the following ways:

Use the parser with a source type: You can associate the parser with a source type to extract any set of fields in any kind of event. For more information, see Source Types.
Use the parse command in a search: During a search, you can use the parse command to extract fields from events and use other search operators (such as where, chart, top, and so on) to further refine the search or manipulate the data in the fields. This is particularly useful for IT operations and other customers who need to extract and manipulate raw event data.

Prerequisites

Users must be assigned to the following User Groups to access this feature:

Default Logger Rights Group
Default System Admin Group

See Setting Logger User Permissions for more information.