Administration GuideMapping and ParsingHow to Create a Message Parsing File › Create a Parsing Filter

Previous Topic: Create a Prematch Filter

Next Topic: Dynamic Parsing

Create a Parsing Filter

You can create a parsing filter to define how the XMP file parses event data. Each parsing filter is attached to a prematch filter. After the parsing process locates a prematch string, it uses each parsing filter attached to that prematch in turn to locate its specified information. The parsing process returns the first positive match it makes.

When you click the Add a Parsing Filter button in the Match and Parse step of the Message Parsing wizard you start the Parsing File Filter wizard. To create effective parsing filters you need a good understanding of the regular expression syntax.

To create a parsing filter

  1. Open the Parsing File Filter wizard, and type a filter name and optional description in the Filter Details page.
  2. Click Add new to add a static field value that you want to appear in all events parsed by the filter.

    A static field row appears, displaying New Field and New Value cells.

  3. Type an entry in the New Field cell, and type an entry in the New Value cell. The auto-complete feature narrows available CEG field names as you type in the New Field cell, and presents a menu of choices.
  4. (Optional) Repeat steps 2-3 to add static field values as needed.
  5. Advance to the Regular Expression step.

    The Parsing Expression Testing window opens, displaying any current regular expression. Immediately below the regular expression is the Event pane. This area shows one or more sample events, if you previously loaded sample events. The wizard can test these events against the regular expression as you build it.

  6. Click Add or Remove Tokens from Library to display a list of predefined regular expressions you can add for use in the current filter. Select the tokens you want to add and click OK to add them to the Parsing Tokens list.
  7. (Optional) Click New Regular Expression Token to create a Parsing Token, and enter its regular expression syntax in the Token Details pane. You can now create custom expressions for your environment. You can add a custom token to your local library by clicking Add Selected Token to the Library at the top of the Parsing Tokens pane.

    Note: When you create a new datetime token, select the 'Treat as a datetime value' check box to enter a format for parsing the time value. This value does not affect the display format.

  8. Add regular expression statements for the filter in the Regular Expression entry field. You can drag and drop expressions from the Parsing Tokens list. You can also type or edit the expression directly in the Regular Expression entry field.

    Note: Selecting a token in the Parsing Tokens list displays its regular expression syntax in the Token Details pane. You can view the parsing token mapping in a given rule to repeat it in other parsing rules.

  9. (Optional) Select the Dynamic Name/Value Pairs checkbox if your target events include key pairs you want to display. See "Dynamic Parsing" for more information.
  10. (Optional) If you want to use dynamic parsing, enter a dynamic parsing expression in the dynamic pairs entry field. For example, enter: 
    (_PAIR_KEY_)=(_PAIR_VALUE_);

    Any pairs separated by an equal sign and spaced by a semicolon appear. You can enter more expressions to find pairs displayed in other formats. See Dynamic Parsing for more information.

  11. Preview how the file parses the sample events using the Event and Parsed Event panes. As you modify the parsing filter regular expression, parsed portions of the sample event are highlighted in blue text and dynamically parsed pairs appear in green. You can verify the effectiveness of the parsing.
  12. (Optional) Change the sample event for additional testing by using the back and forward arrows under the Event pane to move through the available sample events.
  13. Click Save and Close when you are satisfied with the regular expression. You can use Reset to return the regular expression to its initial state.

    The Parsing File Filter wizard closes, returning you to the Match and Parse step of the Parsing File wizard.

More information:

Dynamic Parsing

Parsing Tokens

Add a Custom Token to the Library