Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Log Parser Customize: JSON Mappings (Beta)

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by RSA Information Design and Development Employee on Nov 11, 2020
Version 2Show Document
  • View in full screen mode

For NetWitness Platform 11.5, RSA has added a beta version of JSON mappings.

JSON Mappings screen, Beta

View JSON Mappings

  1. In the NetWitness Platform UI, go to (Configure) > Log Parser Rules.

  2. From the Log Parsers pane, select a parser, then click JSON Mappings.

    The JSON Mappings and Mapping Details are shown for the parser you selected.

    The image above shows the details for the mapping from a portion of a JSON log that contains time data, to the event.time.str meta key in NetWitness Platform.

The Mapping Details pane displays the following information.

display name

This name corresponds to the name displayed in the JSON Mappings pane.


The path to where the values for this portion of the log are stored.


Select a meta key to which this value from the log is mapped. Select a value from the drop-down menu.

Optional if you choose a Value Format.

value format

Choose a value format parser onto which to pass this JSON value.

Optional if you choose a Meta.


Optionally, you can enter a text description for this mapping.

Note: You need to select a meta or enter a Value Format, but you do not need to fill in values for both settings.

Add a JSON Mapping

After you add a parser, as described in Add a Log Parser, you can then add JSON mappings.

  1. Follow the procedure to add a parser.
  2. Select the JSON Mappings entry for the newly-added parser.

    The following screen shows an example where an Accurev parser has been added:

    JSON Mappings example, Accurev

  3. Click Add New to begin adding a mapping.
  4. Enter values for display name, path, meta or value format (or both), and (optionally) a description.
  5. Click Save to save your new mapping.

For example, the following screen shows a mapping, emailSource, has been added:

Example of JSON Mapping that has been added

Auto Discover JSON Mappings

Beginning with NetWitness Platform version 11.5.1, you can automatically create the mappings without the need to manually enter the name and path of the mapping.

The following is a sample JSON log:

{"terminal":"WIN-OT2OAJHG9NN","@timestamp":"2020-05-21T05:45:31.787Z","host_name":"WIN-OT2OAJHG9NN","global_userid":null,"dbusername":"C##TET_USER","object_schema":null,"os_process":"7992:5208","audit_option":null,"role":null,"unified_audit_policies":"ORA_LOGON_FAILURES","action_name":"LOGON","entry_id":1,"audit_type":"Standard","authentication_type":"(TYPE=(DATABASE));(CLIENT ADDRESS=((PROTOCOL=beq)(HOST=;","dbproxy_username":null,"external_userid":null,"@version":"1","new_schema":null,"new_name":null,"statement_id":1,"proxy_sessionid":0,"os_username":"WIN-OT2OAJHG9NN\\Administrator","system_privilege":null,"sql_binds":null,"timestamp":"2020-05-21 10:22:12","client_program_name":"sqlplus.exe","sessionid":4125005309,"userhost":"WORKGROUP\\WIN-OT2OAJHG9NN","rman_device_type":null,"object_name":null,"event_timestamp_utc":"2020-05-20T23:22:12.452Z","system_privilege_used":null,"return_code":1017,"version":"","instance_name":"orcl","sql_text":null,"target_user":null,"fga_policy_name":null,"rman_object_type":null,"dbid":1566661212,"rman_operation":null}

To auto-discover JSON mappings:

  1. Select the JSON Mappings entry for the appropriate parser.
  2. Paste JSON formatted log message in to the Sample JSON message text box, and click Render JSON.

    Rendering JSON in Editing Mode allows you to view and edit (if needed) the logs in a pretty format. Additionally, if your text is not valid JSON, the text field is displayed in red.

  3. Click Mapping Mode, to view the JSON in a collapsable tree format which also highlights the mapping.

Note: In Mapping mode, you cannot be edit the Logs.

  1. Click Auto-Discover Mappings to discover the JSON nodes and create mappings.

    The Meta Mappings pane is populated as shown here:

  2. After you auto-discover, note that all the mappings are invalid (preceded by this icon: ). You cannot save your changes until all the mappings are valid (mapping is preceded by this icon: ) or removed.

    • To make a mapping valid, you need to select a Meta Key or Value Format for all the mappings that you want to parse and save.
    • If there are mappings that you do not want to save, you select the mapping and click Delete. Alternatively, after you complete all of the mappings that you want to keep, you can click Remove Unmapped to remove all mappings that you have not yet validated.

    In the following screen, all mappings have been completed or removed:

  3. After you have either completed or removed all of your mappings, click Save to save your new mappings. Note that the icon preceding each mapping is removed.

Deploy JSON Parser

You need to deploy a JSON parser so that logs coming in to any decoder are parsed appropriately and meta is generated and stored correctly.

To deploy a parser, select it from the list and click Deploy. The parser, its dynamic rules, and its mappings are sent to all Log Decoders.

Note: A JSON parser must have at least one rule or mapping to enable deployment.

You are here
Table of Contents > JSON Mappings (Beta)