Description
The Parser function can be used to extract fields out of events or reserialize (re-write) events with a subset of fields. Reserialization will maintain the format of the event. For example, if an event contains comma delimited fields and fieldA and fieldB are filtered out, their positions will be set to null and not deleted completely.
Usage
Filter: Filter expression (JS) that selects data to be fed through the function. Defaults to empty - all events will be evaluated.
Description: Simple description about this function. Defaults to empty.
Final: If true, stops data from being fed to the downstream functions. Defaults to No.
Parser Mode: Operating mode. Extract creates new fields. Reserialize will extract, filter fields and then reserialize. Defaults to Extract.
Parser Type: Parser type to use. Options: CSV, JSON, K=V Pairs, Extended Log File Format (ELFF), Common Log Format (CLF)
Parser Library: Browse parser library to select a saved parser.
List of Fields: Fields expected to be extracted, in order. If not specified parser will auto-generate.
Fields to Keep: List of fields to keep, supports wildcards (). Takes precedence over *Fields to Remove.
Fields to Remove: List of fields to remove, supports wildcards (). Cannot remove fields matching *Fields to Keep.
Fields Filter Expression: Expression evaluated against {index, name, value} context of each field. Return truthy to keep, falsy to remove field.
Destination Field: Field where to add extracted fields to (Extract mode only).
JSON Example
Assume we have a JSON event that needs to be reserialized given these requirements:
- Remove the
levelfield only if it's set toinfo - Remove the
startTimefield and all those that end inCxnin thevalues.total.path
Parser Function Configuration:
JSON event after processed by the function:
