Administration GuideMapping and ParsingHow to Create a Message Parsing File › Create a Prematch Filter

Previous Topic: Add Global Fields

Next Topic: Create a Parsing Filter

Create a Prematch Filter

You can create a prematch filter to help the XMP file narrow its search for event information you want to parse. The prematch filter identifies a selected text string to narrow the event selection process, which is then completed by parsing filters. If you consider the parsing file as a funnel, the prematch filter forms the mouth and the parsing filter is the spout.

The more complete your prematch filtering is, the more efficient your parsing process is. This is because narrow prematch categories held reduce the processing effort required to parse events.

For example, if you wanted to parse access attempt events, you might create a prematch filter that searches for the text "login", and add appropriate parsing filters to that prematch filter.

Note: Deleting a prematch filter also removes its associated parsing filter or filters.

To create a prematch filter

  1. Open the parsing file wizard and advance to the Match and Parse step.

    The wizard displays any existing prematch filters in the Prematch Filters list. Each one displays the number of prematches to any sample events in parentheses beside it.

  2. Click Add a Prematch String at the top of the Prematch Filters list, or select a prematch filter to edit.

    Note: To select a prematch filter, type the first few characters of the prematch string in the Search field. All the prematch strings matching the entered characters are displayed. Within the resulting matching prematch strings, you cannot use the up-down arrows to move a prematch string.

  3. Type the text you want the filter to search for in the Prematch String entry field.

    Any sample events that match the text you enter immediately appear, along with the number of matched events found and parsed.

  4. (Optional) Click Add prematch based on unmatched events to show all unmatched sample events.

    Any sample events that are currently unmatched appear in the Events area for easy reference in creating a new prematch filter.

  5. (Optional) Add or edit additional prematch filters as needed.
  6. Set the order in which you want the parsing process to search for prematches, using the up-down arrows beside the Prematch Filters list. Setting prematch filters that match more events higher in the priority list improves the efficiency of your parsing process.
  7. Click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

    If you click Save and Close, the new file appears in the Parsing File User folder, otherwise the step you choose appears.