You can use dynamic parsing, which allows the display of multiple, unaltered name-value pairs that already exist in the raw event. Unlike normal parsing where each parsed token can be allotted to a CEG field or a user-defined field, the name part of the name/value pair becomes the field and cannot be assigned to any CEG field or user defined field. Dynamic parsing is useful where applications or formats record event data in key pairs that you wish to protect from change, not parsed into CEG names or other values. It also improves parsing performance in the cases where it is applicable.
The regular expression which allows dynamic parsing contains four elements:
The separators you use must match the structure of the event source you are parsing. If your event source uses a comma as a separator, your regular expression must do as well.
Example
(dest_objectclass)=(ServerE);
In this example the key-value separator is "=" and the pair separator is ";"
Using this expression after other regular expressions allows the XMP file to locate and display any key pairs that appear in parsed events.
Copyright © 2013 CA.
All rights reserved.
|
|