Skip to main content

Parser Node

Quick Reference

NameDescription
Target FieldJSON path to the string field to parse.
ex: $.body.raw
Remove Target FieldSelect to remove the original field after parsing.
Extraction TypeSelect how to extract structured data from the target field.
ex: JSON, CSV, key-value pairs

Overview

The Parser Node is used to transform raw text data (strings) into structured data (JSON objects). This is an essential step in log processing, allowing you to extract specific fields like IP addresses, timestamps, and error messages so they can be filtered, aggregated, or routed in downstream nodes.

General Configuration

Regardless of the specific parsing method chosen, all Parser Nodes share the following base settings:

  • Target Field: The name of the field in your input event that contains the data you want to parse (e.g., __raw__, message, log).
  • Remove Target Field: A toggle switch. If enabled, the original raw string field will be deleted from the event after the data has been successfully parsed and extracted.
  • Extraction Type: The specific method used to interpret the data. The available types are detailed below.

Extraction Types

JSON

Use this when your logs are already formatted as JSON strings.

  • Output Field Name (Optional): You can define a specific field name to nest the parsed JSON under (e.g., parsed_json). If left blank, the parser may merge the result at the root level.
  • Behavior: It interprets the target string as a JSON object and converts it into a structured Fleak map.

Key-Value Pairs

Use this for logs formatted as a list of pairs, such as key1=value1, key2="value 2".

  • Pair Separator: The string that separates distinct pairs. Can be a single character (e.g., , or space) or multiple characters (e.g., " | " or ", "). Supports escape sequences like \t for tab and \n for newline.
  • Key-Value Separator: The string that separates a key from its value. Can be a single character (e.g., =, :) or multiple characters (e.g., =>, ::). Supports escape sequences.
  • Features: This parser handles quoted values intelligently. If a value is enclosed in quotes (e.g., msg="error, check logs"), separators inside the quotes are ignored.

Delimited Text (CSV)

Use this for comma-separated values (CSV) or other character-delimited logs.

  • Delimiter: The character used to separate columns (e.g., ,, |, or \t).
  • Column Names: You must define the names of the columns in order. You can click + Add Column to map the split values to specific field names.
  • Features: This uses a robust CSV parser that correctly handles quoted fields containing the delimiter.

Grok Pattern

Use this for unstructured text logs where you need to match specific patterns (like Apache or Nginx logs).

  • Grok Pattern: Enter the Grok expression to define the log structure.
    • Example: %{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}
  • Features: Supports standard Grok patterns. It captures named groups from the expression and outputs them as fields.

Syslog

Use this for logs following the RFC 5424 Syslog standard.

  • Syslog Components: Select the components present in your syslog header. Options include:
    • Priority, Version, Timestamp, Device, Application, Process ID, Message ID, Structured Data.
  • Message Body Delimiter (Optional): Specify a character that separates the header from the message body (e.g., :).
  • Behavior:
    • It extracts standard headers into specific fields (e.g., appName, priority).
    • It parses Structured Data (content inside [id key="value"]) into nested maps.
    • The remaining text is placed in a content field.

Common Event Format (CEF)

Use this for logs generated by security devices using ArcSight CEF.

  • Configuration: No additional configuration is required.
  • Behavior:
    • Automatically validates the CEF: prefix.
    • Extracts standard header fields: deviceVendor, deviceProduct, deviceVersion, deviceEventClassId, name, severity, and version.
    • Automatically parses the "Extension" part of the log into key-value pairs.

Windows Multiline

Use this for processing exported Windows Event Viewer logs or similar structured multiline formats.

  • Timestamp Location:
    • No Timestamp: Ignore timestamp extraction.
    • First Line: Assumes the timestamp is the first line of the raw data.
    • From Field: Extract the timestamp from a specific existing field.
  • Behavior: Designed to handle complex Windows logs that contain a mix of Key-Value pairs, descriptive text, and embedded XML. It aggregates split lines into coherent fields.