Description
The Parser function can be used to extract fields out of events or reserialize (re-write) events with a subset of fields. Reserialization will maintain the format of the event. For example, if an event contains comma delimited fields and fieldA and fieldB are filtered out, their positions will be set to null and not deleted completely.
Usage
Filter: Filter expression (JS) that selects data to be fed through the function. Defaults to empty - all events will be evaluated.
Description: Simple description about this function. Defaults to empty.
Final: If true, stops data from being fed to the downstream functions. Defaults to No.
Parser Mode: Operating mode. Extract creates new fields. Reserialize will extract, filter fields and then reserialize. Defaults to Extract.
Parser Type: Parser type to use. Options: CSV, JSON, K=V Pairs, Extended Log File Format (ELFF), Common Log Format (CLF)
Parser Library: Browse parser library to select a saved parser.
List of Fields: Fields expected to be extracted, in order. If not specified parser will auto-generate.
Fields to Keep: List of fields to keep, supports wildcards (*). Takes precedence over Fields to Remove. Nested addressing supported.
Fields to Remove: List of fields to remove, supports wildcards (*). Cannot remove fields matching Fields to Keep. Nested addressing supported.
- Note: Negated terms are supported in both Fields to Remove and Fields to Keep. List is order sensitive when negated terms are used. E.g.,
!foobar, foo*means "All fields that start with 'foo' except foobar".!foo*, *means "All fields except for those that start with 'foo'".
Fields Filter Expression: Expression evaluated against {index, name, value} context of each field. Return truthy to keep, falsy to remove field. Index is zero based.
Destination Field: Field where to add extracted fields to (Extract mode only).
How do Fields to Keep, Fields to Remove and Fields Filter Expression interact
Order or priority: Fields to Keep > Fields to Remove > Fields Filter Expression
If a field is in Fields to Keep and Fields to Remove, Fields to Keep takes precedence.
If a field is in Fields to Remove and in Fields Filter Expression, Fields to Remove takes precedence.
Example 1
Assume we have an event with KV pairs as below:<timestamp> a=000,b=001,c=002,d=003,e=004,f=005,g1=006,g2=007,g3=008, ...
To extract all fields we can select K=V Pairs from Parser Type.
Scenario A: Keep fields a, b, c. Drop the rest.
Expected result: a, b, c
- Fields to Keep:
a,b,c - Fields to Remove:
* - Fields Filter Expression: <empty>
Scenario B: Keep fields a, b, those that start with g. Drop the rest.
Expected result: a, b, g1, g2, g3
- Fields to Keep:
a,b - Fields to Remove: <empty>
- Fields Filter Expression:
name.startsWith('g')
Scenario C: Keep fields a, b, those that start with g but only if value is 007. Drop the rest.
Expected result: a, b, g2
- Fields to Keep:
a,b - Fields to Remove: <empty>
- Fields Filter Expression:
name.startsWith('g') && value=='007'
Scenario D: Keep fields a, b, c, those that start with g, unless it's g1. Drop the rest.
Expected result: a, b, c, g2, g3
- Fields to Keep:
a,b,c - Fields to Remove:
g1 - Fields Filter Expression:
name.startsWith('g')
Scenario E: Keep fields a, b, c, those that start with g but only if index is greater than 6. Drop the rest.
Expected result: a, b, c, g2, g3
- Fields to Keep:
a,b,c - Fields to Remove: <empty>
- Fields Filter Expression:
name.startsWith('g') && index>6
Note: index refers to the location of a field in the array of all fields extracted by this parser. It is zero-based. In the case above, g2 and g3 have an index of 7 and 8 respectively.
Example 2
Assume we have a JSON event that needs to be reserialized given these requirements:
- Remove the
levelfield only if it's set toinfo - Remove the
startTimefield and all those that end inCxnin thevalues.total.path
Parser Function Configuration:
JSON event after processed by the function:
