Administrators can see which parsers have been downloaded from Live and deployed on a Decoder or Log Decoder, see which of these have been enabled, and enable or disable parsers and log parsers.
The following figure illustrates commonly used settings on a Decoder. For a quick basic setup with only the required steps, see Decoder and Log Decoder Quick Setup.
You should only download and deploy the parsers you need for the following reasons:
- There is an impact on performance as you increase the number of deployed parsers.
- The more parsers you deploy, the more meta data created, which impacts data retention
- Not having extra (unnecessary) log parsers deployed reduces the potential for misidentification of messages.
The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. These are the options in the Parsers Configuration panel.
To enable or disable an parser, or to view the status for each parser:
- Go to ADMIN > Services.
- In the Administration Services view, select a Log Decoder or a Decoder, and >View > Config.
- In the Parsers Configuration panel, look for the Decoder parser or the Log Decoder event source parser.
- In the Config Value column, note the current status for your parser.
You can update the status of any individual parser by selecting its Config Value and selecting Disabled, Transient, or Enabled from the drop-down menu. Alternatively, you can select Enable All or Disable All to update the status for all of your log parsers at once.
- Click Apply.
When you click Apply, note that all parsers are reloaded into NetWitness Suite. The status for each parser is updated, based on your selections.