Comment on page
ParsingConf controls how data is extracted from raw alerts and stored as parsed alert data. Parsing Configurations come in three types:
Defines how raw alerts are going to be extracted. The default is 'auto', which will try to detect if the raw event is in JSON format or KV format
Defines a regex string used to extract key value pairs in a raw alert text. This value is ignored if parsing is set to
Defines a list of regex strings used to extract a timestamp from raw event data. Salem will keep testing each regex string against the alert text until either a match is found or no match is found.
There are 3 types of field transformations, and they are processed in the following order:
A dictionary where a key represents a field extracted from the alert data and value represents a new field name to set as an alias for the existing field name
# Alias Example
In the above example there are several fields that alias to
src. These aliases are processed from the top down, meaning if 's' and 'source' both exist in the alert data, the value of
srcwill be set to the value of 'source'
A dictionary of eval dictionaries. Each eval key value is a name and the value is a dictionary containing two keys: field and eval. Field should be set to the field name that will be set with the output of the eval statement. The eval statement should contain an eval string that returns a value to be set.
"eval": "if_then(match('regex',r'[\\\\]',file),join(split(file,'\\\\')[0:-1],'/') + '/',if_then(match('regex',r'[/]',file),join(split(file,'/')[0:-1],'/') + '/',None))"
A dictionary of dictionaries. Each lookup item has a name key and a dictionary value with keys:
Typically, the table should be set to
defaultParsingLookup, and the type set to 'parsed'. The key is the field being looked up, and return is the value returned if available in the lookup table.