Dion Stempfley

Custom log parser with optional fields

Dec 21, 2016
Latest reply on Jan 16, 2017 by John Kisner

I am creating a parser for a device in Netwitness 10.6.2 and I need it to be able to skip over fields that don't appear in the log.  For example, I have a category and event description separated by a , but occasionally there is not event description.



   File Integrity Change -- SRC_IP: ...  

   AV Policy violation, vulnerable Java version detected on SRC_IP -- SRC_IP: ...


My first cut at the content line in the parser doesn't account for the first option.  Can I write a simple regex to exclude the event_description if it doesn't exist?


   content="<category>,<event_description>-- SRC_IP: ...