Parser Editor
This topic has instructions for using the Sumo Logic parser editor. You can use the editor to customize system parsers, and to create your own custom parsers. We provide parser templates that you can use as a starting point for creating custom parsers.
For a complete list of standard parsers, see Parsers in the Cloud SIEM Content Catalog.
See additional articles for more information about the Sumo Logic Cloud SIEM parsers:
The instructions that follow assume that you have already written your parser code.
Watch the following micro lesson to learn how to apply parsers to Cloud SIEM data sets.
Check parser code for mapping hints​
Your parser code must contain statements that tell Cloud SIEM what log mapping to use when creating Records from the field dictionary the parser creates for log messages.Â
Make sure your parser code includes MAPPER
statements that specify the vendor, product, and the event ID that the log messages to be parsed contain, and a FORMAT
statement that defines the message format.
MAPPER:vendor
—Use this statement to identify the vendor that supplies the product. For example:MAPPER:vendor = AWS
. ÂMAPPER:product
—Use this statement to identify the product whose logs will be parsed by your parser. For example:MAPPER:product = CloudTrail
. ÂMAPPER:event_id
—Use this statement to specify the event ID to assign to parsed events. For some log messages this is a constant, for example, for a Windows Event:MAPPER:event_id = Security-4624
. In other cases, you may need to form the event ID from fields contained in log messages. In that case, you can define an event ID pattern. For example:MAPPER:event_id = {{eventType}}-{{eventName}}
.FORMAT
—Use this statement to specify the format of the log messages to be parsed. For example:FORMAT = JSON
.
Configure and test a custom parser​
- Classic UI. In the main Sumo Logic menu, select Manage Data > Logs > Parsers.
New UI. In the top menu select Configuration, and then under Logs select Parsers. You can also click the Go To... menu at the top of the screen and select Parsers. - Navigate to the folder where you’d like to create the parser. If you want to create a new folder, click Add and select New Folder. You don’t have to organize your parsers in folders, but it's easier to manage them if you do.
- Click Add and select New Parser to display the Create Parser page.
- Name. Enter a distinctive name for the parser. Typically the parser name indicates the product or service whose messages it will parse.
- Description. (Optional) Describe the parser.
- Parser Configuration. Paste your parser code in this area.
- Import Messages from. In this step, you enter or fetch messages that you’ll use to test whether the parser parses the messages correctly. There are three options:
- Sumo Log Search. You can enter a log search query to obtain a selected number of log messages. Follow the instructions in Using Sumo log search below.
- Saved Logs. You can select a set of messages that you saved when previously using the Paste Logs option. Follow the instructions in Using saved logs below.
- Paste Logs. You can paste logs directly into the Log Messages area. Follow the instructions in Using paste logs below.Â
Parse Logs​
- After you’ve obtained sample messages using one of the methods above, click Parse Logs.
- If all of the sample messages are parsed successfully, you’ll see results like those shown below in the Parsed Messages section of the editor. The Event Details section shows the key-value pairs that were parsed from the raw message. If your results indicate that there were warnings, unparsed, or dropped messages, see Understanding parsing failures and warnings.
noteOne of the two messages that was parsed was cut out of the screenshot to make the image shorter.Â
- Once your new parser is working, and you want to start using it, follow the instructions in Configuring a source to use a parser.
Get sample messages​
This section describes the three methods of obtaining messages for use in testing your parser.
Using Sumo log search​
To import messages by running a Sumo Logic search:
- Choose the Sumo Log Search option to display this popup.
- Enter a log query, time range, the number of messages you want returned, and click OK.
- The popup now displays the results of your search.
- Click OK to close the popup.
- The Sample logs portion of the parser editor now contains the sample messages.Â
- Proceed to Parse logs.
Using paste logs​
To import messages by pasting them in the editor:
- Choose the Paste Logs option to display this popup.
- Raw Logs. Paste your log messages into this area.
- Breaker. Use this option to tell the parser editor how to split the text you entered into messages. The options are:
- Line \n. Choose this option to break the text at line breaks.
- JSON. Choose this option for JSON messages.
- Custom Regex. Choose this if you want to use a regex to define the split. The popup will refresh and prompt you for the regex.
- Click Break Messages.
- The popup refreshes and shows how the pasted text was broken into individual messages. Review the messages to verify they were split correctly.
- Click OK to close the popup. The Sample logs portion of the parser editor now contains the sample messages. Note the Save Messages As option. You can save the messages you just broke up for use in any additional testing of the parser that you may need to do.
- To save the message, click the Save Messages As option.
- On the Save Messages popup, enter a name for the saved messages, and click Save.
- Proceed to Parse logs.
Using saved logs​
To import previously saved messages:
- Click Saved Logs in the Sample Logs section of the editor. This popup appears:
- Select a saved file of sample messages from the list in the File Name section of the popup.
- The messages from the selected file appear in the Preview Logs section of the page.
- Click Get Logs.
- The popup closes and the logs that you retrieved now appear in the Sample Logs section of the editor.
- Proceed to Parse logs.
Understanding parsing failures and warnings​
When you test your parser, the editor presents a count of how many messages were successfully parsed, and the counts of messages in the following categories:
-
Parsed messages with warnings—A warning or error occurred but the message was was partially parsed, depending on where the warning or error occurred. The most common cause of a warning is applying a RENAME_FIELD statement to a field that isn't present in the message.
-
Unparsed messages—An error occurred that caused parsing to fail. Potential causes of parsing failures include:
- An unmatched regex.
- Invalid XML, when using XML parsing.
- Invalid JSON parsing, when using JSON parsing.
- Fewer CSV fields in the message than expected.Â
- Attempting a transform on a field that doesn't exist unless you use TRANSFORM_FIELD_IF_PRESENT.
-
Dropped messages—The message was dropped due to a DROP statement in the parser.Â
Create a local configuration for a system parser​
You can customize any of the system parsers that are built into Cloud SIEM. When you open an system parser for editing, you'll see its code in the System Configuration section. For a system parser, the UI also provides an area for entering your customizations — that's the part of the page labeled Local Configuration. The parsing language statements you enter there will be executed in addition to the those in the system configuration. If a statement you add to the system configuration already exists in the system configuration, the local statement will override the system statement. For example, if the system configuration has:
START_TIME_FIELD = eventTime
and the local configuration has:
START_TIME_FIELD = _messagetime
the local statement overrides the system statement.
Here is an example of a local configuration that overrides the START_TIME_FIELD
 and TIME_PARSEÂ
statements.
The system configuration and local configuration are separate, so your customizations are preserved when Sumo Logic updates the parser.
Use cases for local configuration​
You can use a local configuration to override any statement in a system parser, and add additional logic to the parser using any of the statements supported by the parsing language.
One use case for a local configuration to override one or more of a parser’s time handling statements. For example, if the logs to be parsed don’t have a timestamp, you could set START_TIME_FIELD = _messagetime
. This causes the Sumo Logic core platform message time to be used as the _starttime
in the field dictionary your parser creates from a message. Or, if the time formats in the logs to be parsed do not exactly match the format that a system parser assumes, you use a local configuration to specify a different TIME_PARSER setting.
Another common reason to set up a local configuration is to pre-parse the content of a JSON object. If your parser is going to process an encapsulated JSON object, you can use a local configuration to pre-parse the original log message from the object.
To create a local configuration:
- Classic UI. In the main Sumo Logic menu, select Manage Data > Logs > Parsers.
New UI. In the top menu select Configuration, and then under Logs select Parsers. You can also click the Go To... menu at the top of the screen and select Parsers. - In the System folder, navigate to the parser you want to modify and choose Edit from the three-dot kebab menu.
- The parser editor opens. The parser code is shown in the System Configuration area.
- Paste your custom parser code in the Local Configuration area.
- Use one of the methods in Get test messages above, and then click Parse Logs.
Move a parser​
You can move a parser from one location to another within the parser editor’s folder structure. To do so, navigate to the parser you want to move, and select Move from the three-dot kebab menu.Â