parse
Parses data using a predefined parser or user-defined rule.
Syntax
parse [overlay=BOOL] PARSER
parse [OPTIONS] PARSING_RULE, ...
parse [OPTIONS] PARSING_RULE, ...
Required Parameter
PARSER
-
Predefined parser name. You can see the names of the parsers in the web console.
- (STD, ENT) Check the Name in SYSTEM CONFIG > PARSER/TRANSFORMER > Parser
- (MAE, SNR) Check the Parser code in Logger > Parser, Normalizer.
-
This option cannot be used with the
field=TARGET_FIELD
option. PARSING_RULE, ...
-
User-defined rules, separated by a comma (
,
). The syntax of a parsing rule is"START_ANCHOR*STOP_ANCHOR" as FIELD_NAME
:START_ANCHOR*STOP_ANCHOR
: Parse anchorsas FIELD_NAME
: Label given as the name of the field
-
The
parse
command parses strings according to specified start and stop anchors, and then labels them withFIELD_NAME
.
Optional Parameter
overlay=BOOL
- Option to control data-overwrite (default:
f
).t
: Outputs the parsed data and the original data.f
: Outputs the parsed data only.
field=TARGET_FIELD
- Field to be parsed in the input data stream (default:
line
). This option cannot be used with thePARSER
argument.
Usage
-
Parse the logs stored in the
ssh_log
table using theopenssh
parser.table from=20200601 to=20200701 ssh_log | parse openssh
-
Extract the field by specifying the start and end text from the log (using the following contents by saving it as "sample.txt").
Nov 11 00:00:00 session: Proto:17, Policy:pass, Rule:9000, Type:open, Start_Time:Nov 11 00:00:00, End_Time:-
You can extract the session, proto, policy, rule, and end_time fields from the above source using the command below.
textfile /opt/logpresso/sample.txt | parse "session:* " as session, "Proto:*," as proto, "Policy:*," as policy, "Rule:*," as rule, "Start_Time:*," as start_time, "End_Time:*" as end_time