parse

Parses data using a predefined parser or user-defined rule.

Syntax

parse [overlay=BOOL] PARSER

parse [OPTIONS] PARSING_RULE, ...
Required Parameter
PARSER

Predefined parser name. You can see the names of the parsers in the web console.

  • (STD, ENT) Check the Name in SYSTEM CONFIG > PARSER/TRANSFORMER > Parser
  • (MAE, SNR) Check the Parser code in Logger > Parser, Normalizer.

This option cannot be used with the field=TARGET_FIELD option.

PARSING_RULE, ...

User-defined rules, separated by a comma (,). The syntax of a parsing rule is "START_ANCHOR*STOP_ANCHOR" as FIELD_NAME:

  • START_ANCHOR*STOP_ANCHOR: Parse anchors
  • as FIELD_NAME: Label given as the name of the field

The parse command parses strings according to specified start and stop anchors, and then labels them with FIELD_NAME.

Optional Parameter
overlay=BOOL
Option to control data-overwrite (default: f).
  • t: Outputs the parsed data and the original data.
  • f: Outputs the parsed data only.
field=TARGET_FIELD
Field to be parsed in the input data stream (default: line). This option cannot be used with the PARSER argument.

Usage

  1. Parse the logs stored in the ssh_log table using the openssh parser.

    table from=20200601 to=20200701 ssh_log | parse openssh
    
  2. Extract the field by specifying the start and end text from the log (using the following contents by saving it as "sample.txt").

    Nov 11 00:00:00 session: Proto:17, Policy:pass, Rule:9000, Type:open, Start_Time:Nov 11 00:00:00, End_Time:-
    

    You can extract the session, proto, policy, rule, and end_time fields from the above source using the command below.

    textfile /opt/logpresso/sample.txt 
    | parse
        "session:* " as session,
        "Proto:*," as proto,
        "Policy:*," as policy,
        "Rule:*," as rule,
        "Start_Time:*," as start_time,
        "End_Time:*" as end_time