Example
You can also use this field to find out events that were successfully parsed or did not parse:
... | parse Web Server Access Log | where parser = “not parsed”
Applies the named parser to the matching events of a search query.
Synopsis
...| parse <parser_name>
Where <parser_name> is the name of the parser to use. For information on how to create a parser, see Working with Parsers.
Tip: The parser must exist before it can be used in a query.
The parse operator is useful in parsing the non-CEF (unstructured textual) data stored on Logger and parsing it into specific fields according to the parser’s definition.
Once parsed into fields, this data can be used further in search operations. For example, the following parse operator parses the events using a user-defined parser “Web Server Access Logs” such that “username”, “login_status”, “num_attempts” fields are created.
You can use these created fields further in a pipeline query to display the top 10 user names that resulted in the maximum failed login attempts and the number of attempts they made.
...| parse Web Server Access Log | where login_status = “failed” | top username num_attempts
Because the parser definitions are rex or extract expressions, they create additional fields to contain values that match the specified expression. These fields are displayed in the Search Results just like the results of any rex or extract expression. Therefore, in the above example, three additional fields will be added to the Search Result: username, login_status, num_attempts.
An additional field called “parser” is also added to the Search Results when the parse operator is used in a search query.
This field contains the name of the parser when the parser is able to parse one or more fields specified in the definition for the matching events. If the event was not parsed successfully, if no parser is defined for the source type, or if there is no source type, this field displays "Not parsed”. Similarly, the field contains the value “not parsed” when the parser definition is not able to parse any fields of the matching event.
Example
You can also use this field to find out events that were successfully parsed or did not parse:
... | parse Web Server Access Log | where parser = “not parsed”
Usage Notes
When to use the parse operator: When non-CEF events are received through TCP or UDP receivers on Logger, they are not associated with a source type and thus a parser definition. Therefore, such events are not parsed automatically. Similarly, non-CEF events stored on If you need such events parsed when they match a query, use the parse operator.
When an event for which a defined source type exists on Logger is parsed through the parse operator, it can result in the creation of multiple user-defined fields—through the parser associated with the source type and through the parser you specified in the parser pipeline command. If both parsers create unique field names, all those fields are created when a query that matches the event is run. If the parsers specify one or more same-name fields, the field names specified in the parse operator parser take precedence as this parser is applied last.
Example
...| parse Web Server Access Log | where url CONTAINS “.org” | top url