Dion Stempfley

Custom log parser with optional fields

Discussion created by Dion Stempfley on Dec 21, 2016
Latest reply on Jan 16, 2017 by John Kisner

I am creating a parser for a device in Netwitness 10.6.2 and I need it to be able to skip over fields that don't appear in the log.  For example, I have a category and event description separated by a , but occasionally there is not event description.

 

Examples:

   File Integrity Change -- SRC_IP: ...  

   AV Policy violation, vulnerable Java version detected on SRC_IP -- SRC_IP: ...

 

My first cut at the content line in the parser doesn't account for the first option.  Can I write a simple regex to exclude the event_description if it doesn't exist?

 

   content="<category>,<event_description>-- SRC_IP: ...

Outcomes