Data Parser

Data Collector

The Data Parser processor allows you to parse supported data formats embedded in a field. You can parse NetFlow embedded in a byte array field or syslog messages embedded in a string field.

For example, let's say that you use a UDP Source origin to read syslog messages that contain event information generated by security devices. The messages are written in the Common Event Format (CEF). You add a Data Parser processor after the origin to parse the data in the message field using the CEF log format.

When you configure the processor, you specify the field to process and the target field for the parsed data. You indicate the type of data to be processed.

You also determine the multiple values behavior. When a field includes more than one value, you can return the first value, all values as a list, or generate a record for each value.

When generating a record, the processor includes all other incoming fields in the generated record. When generating multiple records because of multiple values in the parsed field, the processor includes the other incoming fields for each generated record.