For NetWitness Platform 11.5, RSA has added a beta version of JSON mappings.
View JSON Mappings
From the Log Parsers pane, select a parser, then click JSON Mappings.
The JSON Mappings and Mapping Details are shown for the parser you selected.
The image above shows the details for the mapping from a portion of a JSON log that contains time data, to the event.time.str meta key in NetWitness Platform.
The Mapping Details pane displays the following information.
|display name|| |
This name corresponds to the name displayed in the JSON Mappings pane.
The path to where the values for this portion of the log are stored.
Select a meta key to which this value from the log is mapped. Select a value from the drop-down menu.
Optional if you choose a Value Format.
|value format|| |
Choose a value format parser onto which to pass this JSON value.
Optional if you choose a Meta.
Optionally, you can enter a text description for this mapping.
Add a JSON Mapping
After you add a parser, as described in Add a Log Parser, you can then add JSON mappings.
- Follow the procedure to add a parser.
Select the JSON Mappings entry for the newly-added parser.
The following screen shows an example where an Accurev parser has been added:
- Click Add New to begin adding a mapping.
- Enter values for display name, path, meta or value format (or both), and (optionally) a description.
- Click Save to save your new mapping.
For example, the following screen shows a mapping, emailSource, has been added:
Deploy JSON Parser
You need to deploy a JSON parser so that logs coming in to any decoder are parsed appropriately and meta is generated and stored correctly.
To deploy a parser, select it from the list and click Deploy. The parser, its dynamic rules, and its mappings are sent to all Log Decoders.