Data Parser

The Data Parser processor allows you to parse supported data formats embedded in a field. You can parse NetFlow embedded in a byte array field or syslog messages embedded in a string field.

For example, let's say that you use a UDP Source origin to read syslog messages that contain event information generated by security devices. The messages are written in the Common Event Format (CEF). You add a Data Parser processor after the origin to parse the data in the message field using the CEF log format.

When you configure the processor, you specify the field to process and the target field for the parsed data. You indicate the type of data to be processed.

You also determine the multiple values behavior. When a field includes more than one value, you can return the first value, all values as a list, or generate a record for each value.

When generating a record, the processor includes all other incoming fields in the generated record. When generating multiple records because of multiple values in the parsed field, the processor includes the other incoming fields for each generated record.

Data Formats

The Data Parser processor handles data differently based on the data format that you select. The processor processes the following types of data:

Avro

Generates a record for every message. Includes a precision and scale field attribute for each Decimal field.

The stage includes the Avro schema in an avroSchema record header attribute. You can use one of the following methods to specify the location of the Avro schema definition:

Message/Data Includes Schema - Use the schema in the message.
In Pipeline Configuration - Use the schema that you provide in the stage configuration.
Confluent Schema Registry - Retrieve the schema from Confluent Schema Registry. Confluent Schema Registry is a distributed storage layer for Avro schemas. You can configure the stage to look up the schema in Confluent Schema Registry by the schema ID embedded in the message or by the schema ID or subject specified in the stage configuration.

Using a schema in the stage configuration or retrieving a schema from Confluent Schema Registry overrides any schema that might be included in the message and can improve performance.

Binary

Generates a record with a single byte array field at the root of the record.

When the data exceeds the user-defined maximum data size, the origin cannot process the data. Because the record is not created, the origin cannot pass the record to the pipeline to be written as an error record. Instead, the origin generates a stage error.

Delimited

Generates a record for each delimited line.

The CSV parser that you choose determines the delimiter properties that you configure and how the stage handles parsing errors. You can specify if the data includes a header line and whether to use it. You can define the number of lines to skip before reading, the character set of the data, and the root field type to use for the generated record.

You can also configure the stage to replace a string constant with null values and to ignore control characters.

For more information about reading delimited data, see Reading Delimited Data.

JSON

Generates a record for each JSON object. You can process JSON files that include multiple JSON objects or a single JSON array.

When an object exceeds the maximum object length defined for the origin, the origin processes the object based on the error handling configured for the stage.

Log

Generates a record for every log line.

When a line exceeds the user-defined maximum line length, the origin truncates longer lines.

You can include the processed log line as a field in the record. If the log line is truncated, and you request the log line in the record, the origin includes the truncated line.

You can define the log format or type to be read.

NetFlow

The Data Parser processor can process NetFlow 5 and NetFlow 9 messages messages embedded in a byte array field.

When processing NetFlow messages, the stage generates different records based on the NetFlow version. When processing NetFlow 9, the records are generated based on the NetFlow 9 configuration properties. For more information, see NetFlow Data Processing.

Protobuf

Generates a record for every protobuf message. By default, the origin assumes messages contain multiple protobuf messages.

Protobuf messages must match the specified message type and be described in the descriptor file.

When the data for a record exceeds 1 MB, the origin cannot continue processing data in the message. The origin handles the message based on the stage error handling property and continues reading the next message.

For information about generating the descriptor file, see Protobuf Data Format Prerequisites.

syslog messages

The Data Parser processor can process syslog messages embedded in a string field in accordance with RFC 6587, except the processor does not support method changes.

The Data Parser processor can process the following types of syslog messages:

RFC 5424
RFC 3164
Non-standard common messages, such as RFC 3339 dates with no version digit

XML

Generates records based on a user-defined delimiter element. Use an XML element directly under the root element or define a simplified XPath expression. If you do not define a delimiter element, the origin treats the XML file as a single record.

Generated records include XML attributes and namespace declarations as fields in the record by default. You can configure the stage to include them in the record as field attributes.

You can include XPath information for each parsed XML element and XML attribute in field attributes. This also places each namespace in an xmlns record header attribute.

When a record exceeds the user-defined maximum record length, the origin skips the record and continues processing with the next record. It sends the skipped record to the pipeline for error handling.

Use the XML data format to process valid XML documents. For more information about XML processing, see Reading and Processing XML Data.

Tip: If you want to process invalid XML documents, you can try using the text data format with custom delimiters. For more information, see Processing XML Data with Custom Delimiters.

Configuring a Data Parser Processor

Configure a Data Parser processor to parse one of the supported data formats embedded in a field.

In the Properties panel, on the General tab, configure the following properties:


General Property	Description
Name	Stage name.
Description	Optional description.
Required Fields	Fields that must include data for the record to be passed into the stage. Tip: You might include fields that the stage uses. Records that do not include all required fields are processed based on the error handling configured for the pipeline.
Preconditions	Conditions that must evaluate to TRUE to allow a record to enter the stage for processing. Click Add to create additional preconditions. Records that do not meet all preconditions are processed based on the error handling configured for the stage.
On Record Error	Error record handling for the stage: Discard - Discards the record. Send to Error - Sends the record to the pipeline for error handling. Stop Pipeline - Stops the pipeline.

On the Parser tab, configure the following properties:


Data Parser Property	Description
Field to Parse	Field that contains the data to parse. To process NetFlow messages, specify the byte array field to use. To process syslog messages, specify the string field to use.
Target Field	Output field for the parsed data.
Multiple Values Behavior	Action to take when the data in the field includes multiple values: First Value Only - Returns the first value. All Values as a List - Returns all values as items in a List field. Split into Multiple Records - Returns each value in a separate record. This option generates multiple records, one for each parsed value from the field. Other fields in the record are retained with each record.

On the Data Format tab, configure the following property:


Data Format Property	Description
Data Format	Data format for the data: Avro Delimited JSON Log NetFlow messages Protobuf syslog messages XML

For Avro data, on the Data Format tab, configure the following properties:


Avro Property	Description
Avro Schema Location	Location of the Avro schema definition to use when processing data: Message/Data Includes Schema - Use the schema in the message. In Pipeline Configuration - Use the schema provided in the stage configuration. Confluent Schema Registry - Retrieve the schema from Confluent Schema Registry. Using a schema in the stage configuration or in Confluent Schema Registry can improve performance.
Avro Schema	Avro schema definition used to process the data. Overrides any existing schema definitions associated with the data. You can optionally use the `runtime:loadResource` function to load a schema definition stored in a runtime resource file.
Schema Registry URLs	Confluent Schema Registry URLs used to look up the schema. To add a URL, click Add and then enter the URL in the following format: `http://<host name>:<port number>`
Basic Auth User Info	User information needed to connect to Confluent Schema Registry when using basic authentication. Enter the key and secret from the `schema.registry.basic.auth.user.info` setting in Schema Registry using the following format: `<key>:<secret>` Tip: To secure sensitive information such as user names and passwords, you can use runtime resources or credential stores. For more information about credential stores, see Credential Stores in the Data Collector documentation.
Lookup Schema By	Method used to look up the schema in Confluent Schema Registry: Subject - Look up the specified Avro schema subject. Schema ID - Look up the specified Avro schema ID. Embedded Schema ID - Look up the Avro schema ID embedded in each message. Overrides any existing schema definitions associated with the message.
Schema Subject	Avro schema subject to look up in Confluent Schema Registry. If the specified subject has multiple schema versions, the stage uses the latest schema version for that subject. To use an older version, find the corresponding schema ID, and then set the Look Up Schema By property to Schema ID.
Schema ID	Avro schema ID to look up in Confluent Schema Registry.

For delimited data, on the Data Format tab, configure the following properties:


Delimited Property	Description
Delimiter Format Type	Delimiter format type. Use one of the following options: Default CSV - File that includes comma-separated values. Ignores empty lines in the file. RFC4180 CSV - Comma-separated file that strictly follows RFC4180 guidelines. MS Excel CSV - Microsoft Excel comma-separated file. MySQL CSV - MySQL comma-separated file. Tab-Separated Values - File that includes tab-separated values. PostgreSQL CSV - PostgreSQL comma-separated file. PostgreSQL Text - PostgreSQL text file. Custom - File that uses user-defined delimiter, escape, and quote characters. Multi Character Delimited - File that uses multiple user-defined characters to delimit fields and lines, and single user-defined escape and quote characters. Available when using the Apache Commons parser type.
Header Line	Indicates whether a file contains a header line, and whether to use the header line.
Delimiter Character	Delimiter character. Select one of the available options or use Other to enter a custom character. You can enter a Unicode control character using the format `\uNNNN`, where N is a hexadecimal digit from the numbers 0-9 or the letters A-F. For example, enter `\u0000` to use the null character as the delimiter or `\u2028` to use a line separator as the delimiter. Default is the pipe character ( \| ). Available when using the Apache Commons parser with a custom delimiter format.
Multi Character Field Delimiter	Characters that delimit fields. Default is two pipe characters (\|\|). Available when using the Apache Commons parser with the multi-character delimiter format.
Multi Character Line Delimiter	Characters that delimit lines or records. Default is the newline character (\n). Available when using the Apache Commons parser with the multi-character delimiter format.
Escape Character	Escape character. Available when using the Apache Commons parser with the custom or multi-character delimiter format. Also available when using the Univocity parser.
Quote Character	Quote character. Available when using the Apache Commons parser with the custom or multi-character delimiter format. Also available when using the Univocity parser.
Enable Comments	Allows commented data to be ignored for custom delimiter format. Available when using the Apache Commons parser.
Comment Marker	Character that marks a comment when comments are enabled for custom delimiter format. Available when using the Apache Commons parser.
Lines to Skip	Number of lines to skip before reading data.
Compression Format	The compression format of the files: None - Processes only uncompressed files. Compressed File - Processes files compressed by the supported compression formats. Archive - Processes files archived by the supported archive formats. Compressed Archive - Processes files archived and compressed by the supported archive and compression formats.
File Name Pattern within Compressed Directory	For archive and compressed archive files, file name pattern that represents the files to process within the compressed directory. You can use UNIX-style wildcards, such as an asterisk or question mark. For example, .json. Default is , which processes all files.
Allow Extra Columns	Allows processing records with more columns than exist in the header line. Available when using the Apache Commons parser to process data with a header line.
Extra Column Prefix	Prefix to use for any additional columns. Extra columns are named using the prefix and sequential increasing integers as follows: `<prefix><integer>`. For example, `_extra_1`. Default is `_extra_`. Available when using the Apache Commons parser to process data with a header line while allowing extra columns.
Max Record Length (chars)	Maximum length of a record in characters. Longer records are not read. This property can be limited by the Data Collector parser buffer size. For more information, see Maximum Record Size. Available when using the Apache Commons parser.
Ignore Empty Lines	Allows empty lines to be ignored. Available when using the Apache Commons parser with the custom delimiter format.
Root Field Type	Root field type to use: List-Map - Generates an indexed list of data. Enables you to use standard functions to process data. Use for new pipelines. List - Generates a record with an indexed list with a map for header and value. Requires the use of delimited data functions to process data. Use only to maintain pipelines created before 1.1.0.
Parse NULLs	Replaces the specified string constant with null values.
NULL Constant	String constant to replace with null values.
Charset	Character encoding of the files to be processed.
Ignore Control Characters	Removes all ASCII control characters except for the tab, line feed, and carriage return characters.

For JSON data, on the Data Format tab, configure the following properties:


JSON Property	Description
JSON Content	Type of JSON content. Use one of the following options: JSON array of objects Multiple JSON objects
Max Object Length (chars)	Maximum number of characters in a JSON object. Longer objects are diverted to the pipeline for error handling. This property can be limited by the Data Collector parser buffer size. For more information, see Maximum Record Size.
Charset	Character encoding of the files to be processed.
Ignore Control Characters	Removes all ASCII control characters except for the tab, line feed, and carriage return characters.

For log data, on the Data Format tab, configure the following properties:


Log Property	Description
Log Format	Format of the log files. Use one of the following options: Common Log Format Combined Log Format Apache Error Log Format Apache Access Log Custom Format Regular Expression Grok Pattern Log4j Common Event Format (CEF) Log Event Extended Format (LEEF)
Max Line Length	Maximum length of a log line. The origin truncates longer lines. This property can be limited by the Data Collector parser buffer size. For more information, see Maximum Record Size.
Retain Original Line	Determines how to treat the original log line. Select to include the original log line as a field in the resulting record. By default, the original line is discarded.
Charset	Character encoding of the files to be processed.
Ignore Control Characters	Removes all ASCII control characters except for the tab, line feed, and carriage return characters.

When you select Apache Access Log Custom Format, use Apache log format strings to define the Custom Log Format.
When you select Regular Expression, enter the regular expression that describes the log format, and then map the fields that you want to include to each regular expression group.
When you select Grok Pattern, you can use the Grok Pattern Definition field to define custom grok patterns. You can define a pattern on each line.
In the Grok Pattern field, enter the pattern to use to parse the log. You can use a predefined grok patterns or create a custom grok pattern using patterns defined in Grok Pattern Definition.
For more information about defining grok patterns and supported grok patterns, see Defining Grok Patterns.

When you select Log4j, define the following properties:


Log4j Property	Description
On Parse Error	Determines how to handle information that cannot be parsed: Skip and Log Error - Skips reading the line and logs a stage error. Skip, No Error - Skips reading the line and does not log an error. Include as Stack Trace - Includes information that cannot be parsed as a stack trace to the previously-read log line. The information is added to the message field for the last valid log line.
Use Custom Log Format	Allows you to define a custom log format.
Custom Log4J Format	Use log4j variables to define a custom log format.

For NetFlow data, on the Data Format tab, configure the following properties:

When processing earlier versions of NetFlow data, these properties are ignored.


Netflow 9 Property	Description
Record Generation Mode	Determines the type of values to include in the record. Select one of the following options: Raw Only Interpreted Only Both Raw and Interpreted
Max Templates in Cache	The maximum number of templates to store in the template cache. For more information about templates, see Caching NetFlow 9 Templates. Default is -1 for an unlimited cache size.
Template Cache Timeout (ms)	The maximum number of milliseconds to cache an idle template. Templates unused for more than the specified time are evicted from the cache. For more information about templates, see Caching NetFlow 9 Templates. Default is -1 for caching templates indefinitely.

For protobuf data, on the Data Format tab, configure the following properties:


Protobuf Property	Description
Protobuf Descriptor File	Descriptor file (.desc) to use. The descriptor file must be in the Data Collector resources directory, `$SDC_RESOURCES`. For information about generating the descriptor file, see Protobuf Data Format Prerequisites. For more information about environment variables, see Data Collector Environment Configuration in the Data Collector documentation.
Message Type	The fully-qualified name for the message type to use when reading data. Use the following format: `<package name>.<message type>`. Use a message type defined in the descriptor file.
Delimited Messages	Indicates if a message might include more than one protobuf message.

For XML data, on the Data Format tab, configure the following properties:


XML Property	Description
Delimiter Element	Delimiter to use to generate records. Omit a delimiter to treat the entire XML document as one record. Use one of the following: An XML element directly under the root element. Use the XML element name without surrounding angle brackets ( < > ) . For example, msg instead of <msg>. A simplified XPath expression that specifies the data to use. Use a simplified XPath expression to access data deeper in the XML document or data that requires a more complex access method. For more information about valid syntax, see Simplified XPath Syntax.
Compression Format	The compression format of the files: None - Processes only uncompressed files. Compressed File - Processes files compressed by the supported compression formats. Archive - Processes files archived by the supported archive formats. Compressed Archive - Processes files archived and compressed by the supported archive and compression formats.
File Name Pattern within Compressed Directory	For archive and compressed archive files, file name pattern that represents the files to process within the compressed directory. You can use UNIX-style wildcards, such as an asterisk or question mark. For example, .json. Default is , which processes all files.
Preserve Root Element	Includes the root element in the generated records. When omitting a delimiter to generate a single record, the root element is the root element of the XML document. When specifying a delimiter to generate multiple records, the root element is the XML element specified as the delimiter element or is the last XML element in the simplified XPath expression specified as the delimiter element.
Include Field XPaths	Includes the XPath to each parsed XML element and XML attribute in field attributes. Also includes each namespace in an xmlns record header attribute. When not selected, this information is not included in the record. By default, the property is not selected.
Namespaces	Namespace prefix and URI to use when parsing the XML document. Define namespaces when the XML element being used includes a namespace prefix or when the XPath expression includes namespaces. For information about using namespaces with an XML element, see Using XML Elements with Namespaces. For information about using namespaces with XPath expressions, see Using XPath Expressions with Namespaces. Using simple or bulk edit mode, click the Add icon to add additional namespaces.
Output Field Attributes	Includes XML attributes and namespace declarations in the record as field attributes. When not selected, XML attributes and namespace declarations are included in the record as fields. By default, the property is not selected.
Max Record Length (chars)	The maximum number of characters in a record. Longer records are diverted to the pipeline for error handling. This property can be limited by the Data Collector parser buffer size. For more information, see Maximum Record Size.
Charset	Character encoding of the files to be processed.
Ignore Control Characters	Removes all ASCII control characters except for the tab, line feed, and carriage return characters.