Skip to main content
Sumo Logic

Parse nodrop option

The nodrop option forces results to also include messages that do not match any segment of the parse term.

For all parse operators, messages must match at least one segment of the parse expression or they are dropped from the results. Adding the nodrop option forces results to also include messages that do not match any segment of the parse term.

Syntax

* | parse "a=*," as a nodrop

In this case, messages that match a as well as all other messages are output.

* | parse "a=*," as a nodrop | parse "b=*," as b

In this case, messages that match either a or b are output. Everything else is dropped.

* | parse "a = *," as a | parse " b= *," as b
In this case, both parse operators are implicitly dropping non-matching messages. This means only messages that match both a and b are output.

* | parse "a=*," as a nodrop | parse "b=*," as b nodrop | parse "c=*," as c nodrop | parse "d=*," as d

In this case, messages that match (a or b or c or d) are output. Everything else is dropped.

Rules

  • Messages with zero matches are included in the output but do not contain any ALIAS fields or tags related to the parse expression.
  • Using the nodrop option, you can express advanced Boolean logic in choosing your desired message output when you chain the Parse operators.

Examples

Use the nodrop option with a parser

Queries can use the nodrop option with a parser, such as the Apache Access parser:

_sourceCategory=Apache* 
| parse using public/apache/access nodrop

Use the nodrop option with parse regex

You can parse out an IP address using parse regex and parse nodrop:

_sourceCategory=Apache* 
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})" nodrop

Use parse nodrop as an OR condition

You can either GET or POST prefix before the URL in this query:

_sourceCategory=Apache*
| parse "GET * HTTP" as url nodrop 
| parse "POST * HTTP" as url