Working with Parsers

You can define two types of parsers—a REX parser or an Extract parser. Before adding the parser, you need to define the query you want to use for parsing events.

For a Rex parser, one way to do this is to use the rex search operator to test and adjust a regular expression until it returns the desired fields from the events that you want it to handle. Then copy the rex expression and paste it into the parser’s Definition field. For an Extract parser, use the extract operator. For more information about the search operators, see parse, rex, and extract.

The parser used in a search will be displayed in the Parser column of the search results. If the event was parsed, this field contains the name of the parser. If the event was not parsed successfully, this field contains “Not parsed.” If no parser is defined for the source type or if there is no source type, the field is blank.

Prerequisites

Users must be assigned to the following User Groups to access this feature:

Default Logger Rights Group
Default System Admin Group

See Setting Logger User Permissions for more information.

To add a parser:

Open the Configuration > Data menu and click Parsers.

The Parsers page, shown in Parsers, displays the current parsers. You can sort the fields by clicking the column headers.
Click Add.
Enter a name for the parser.
Choose the Parser Type from the drop-down list.
Click Save.

The fields display in the Edit Parser dialog box according to the type of parser.

Fill in the fields for the parser.

Parser Fields
Field	Description
Name	The name of the parser. Enter a new name if you want to change the existing name.
Description	A meaningful description of the purpose of the parser.
Rex parsers only
Definition	The rex expression that you want to use to parse events.
Extract parsers only
Pair Delimiter	The characters separate key/value pairs within an event. Enter only the separator characters, for example: `\\|,`
Key/Value Delimiter	The characters that separate the key from the value. Enter only the delimiter character, for example: `=`
Fields	The list of field names to use when parsing events. Enter the field names, separated by comma (,). For example, to parse events like: `foo=abc, bar=xyz, baz=def` Enter: `foo,bar,baz`

Click Save.

To edit a parser:

Open the Configuration > Data menu and click Parsers.

The Parsers page, shown in Using Parsers with Source Types, displays the current parsers. You can sort the fields by clicking the column headers.
Locate the parser that you want to update and click the Edit icon () on that row.

Note: The Edit icon () is not available for out-of-box parsers. You can copy the parser and make a similar one instead.
Edit the parser fields as appropriate.

The fields displayed in the Edit Parser dialog box according to the type of parser. Parser fields are documented in the table Parser Fields.
Click Save.

To copy a parser:

Open the Configuration > Data menu and click Parsers.

The Parsers page, shown in Using Parsers with Source Types, displays the current parsers. You can sort the fields by clicking the column headers.
Locate the parser that you want to copy and click the Copy icon () on that row.

The fields displayed in the Edit Parser dialog box according to the type of parser.
Enter a name for the new parser and edit the fields as appropriate.

Parser fields are documented in the table Parser Fields, above.
Click Save.

To delete a parser:

Open the Configuration > Data menu and click Parsers.

The Parsers page, shown in Using Parsers with Source Types, displays the current parsers. You can sort the fields by clicking the column headers.
Locate the parser that you want to delete and click the Remove icon () on that row.

Note: The Remove icon () not available for out-of-box parsers. You can only remove parsers that you added.
Click OK to confirm the removal.

Tip: Be cautious when deleting a parser. Logger doesn't warn you when you modify or delete a parser that is associated with a Source Type.