Parsing Conf

ParsingConf controls how data is extracted from raw alerts and stored as parsed alert data. Parsing Configurations come in three types:





The default configuration is the configuration that comes out of the box with Salem




A parsing configuration specific to an alert source. Source configuration items override default configurations items of the same name




A parsing configuration specific to an alert name and source. These configurations take president over other configuration items of the same name defined at the source and default level

Defines how raw alerts are going to be extracted. The default is 'auto', which will try to detect if the raw event is in JSON format or KV format

Defines the parsed alert keys to be included in the

Defines a regex string used to extract key value pairs in a raw alert text. This value is ignored if parsing is set to json.

Defines a list of regex strings used to extract a timestamp from raw event data. Salem will keep testing each regex string against the alert text until either a match is found or no match is found.

There are 3 types of field transformations, and they are processed in the following order:

  • alias

  • evals

  • lookups

A dictionary where a key represents a field extracted from the alert data and value represents a new field name to set as an alias for the existing field name

# Alias Example
"alias": {
    "s": "src",
    "source": "src"

In the above example there are several fields that alias to src. These aliases are processed from the top down, meaning if 's' and 'source' both exist in the alert data, the value of src will be set to the value of 'source'

A dictionary of eval dictionaries. Each eval key value is a name and the value is a dictionary containing two keys: field and eval. Field should be set to the field name that will be set with the output of the eval statement. The eval statement should contain an eval string that returns a value to be set.

"evals": {
    "file_path": {
        "eval": "if_then(match('regex',r'[\\\\]',file),join(split(file,'\\\\')[0:-1],'/') + '/',if_then(match('regex',r'[/]',file),join(split(file,'/')[0:-1],'/') + '/',None))"
    "file": {
        "eval": "if_then(match('regex',r'[\\\\]',file),split(file,'\\\\')[-1],if_then(match('regex',r'[/]',file),split(file,'/')[-1],file))"

A dictionary of dictionaries. Each lookup item has a name key and a dictionary value with keys:

  • table

  • key

  • type

  • return

Typically, the table should be set to defaultParsingLookup, and the type set to 'parsed'. The key is the field being looked up, and return is the value returned if available in the lookup table.

"lookups": {
    "dest_ip": {
        "table": "defaultParsingLookup",
        "key": "dest",
        "type": "parsed",
        "return": "dest_ip"

Last updated