On This Page

Home / Search/ Connect to External Data/ Configure/ Datatypes/v2 Datatypes in Cribl Search

v2 Datatypes in Cribl Search

Simplify parsing and speed up searches with AI-powered v2 Datatypes.

What’s a v2 Datatype?

A set of rules that tells Cribl Search how to interpret data, allowing for automatic parsing and faster searches than the older v1 Datasets.

For a comparison of v1 and v2 Datatypes, see v1 and v2 Datatypes.

For general info on Datatypes, see Datatypes in Cribl Search.

v2 Datatypes and Lakehouse Engines

v2 Datatypes help ingest your data into high-speed lakehouse engines. In this scenario, you can assign v2 Datatypes in different ways:

v2 Datatypes and Federated Datasets

v2 Datatypes are gradually replacing v1 Datatypes for federated searches, to offer more automated parsing and better search performance.

To see what’s currently supported, see Federated Search v2.

Edit a Stock v2 Datatype

To edit a stock v2 Datatype, clone it first.

  1. On the Cribl.Cloud top bar, select Products > Search > Data > Datatypes.
  2. On the Datatypes page, select the v2 Datatype you want to edit.
  3. Select Clone Datatype.

    Now, you’re editing the clone.

  4. Make your changes. To find out how, see individual sections in Add a Custom v2 Datatype.

Confirm with Save. Now, you can apply your custom v2 Datatype to your Datasets.

Add a Custom v2 Datatype

You can add custom v2 Datatypes to parse data that’s not covered by the auto-applied stock v2 Datatypes.

On the Cribl.Cloud top bar, select Products > Search > Data > Datatypes > Add Datatype.

1. Describe

In the New Datatype modal:

  • Set Type of your Datatype to v2.
  • In ID, enter a unique identifier for your v2 Datatype (for example, web_access_v2). Avoid spaces and special characters.
  • In Description, give an overview of your v2 Datatype, so you and others know what it’s for.
  • In Tags, add keywords that might help you find your v2 Datatype later (for example, web logs).

2. Set the Data Format

In Data format, specify how your incoming data is formatted:

JSON Newline DelimitedDelimited TextJSON ArrayKey-Value PairParquetRaw TextXML

Choose this data format if your data arrives as newline-delimited JSON, for example:

{"time":"2020-05-25T18:00:54.201Z","cid":"w1","channel":"clustercomm","level":"info","message":"metric sender","total":720,"dropped":0}
{"time":"2020-05-25T18:01:01.120Z","cid":"w1","channel":"clustercomm","level":"info","message":"metric sender","total":715,"dropped":2}

Choose this data format if your incoming data is formatted as delimited text, for example, CSV:

time,cid,channel,level,message,total,dropped
2020-05-25T18:00:54.201Z,w1,clustercomm,info,metric sender,720,0
2020-05-25T18:01:01.120Z,w1,clustercomm,info,metric sender,715,2

For the Delimited Text format, also set the following:

  • Delimiter: The character that separates fields in the data.
  • Quote: The character that surrounds quoted fields.
  • Escape: The character that escapes special characters in the data.
  • Null value: The value that represents a null field.
  • Optional field list: A list of fields to include in the event.

Choose this data format if your incoming data is formatted as a JSON array, for example:

[
  {
    "time": "2020-05-25T18:00:54.201Z",
    "cid": "w1",
    "channel": "clustercomm",
    "level": "info",
    "message": "metric sender",
    "total": 720,
    "dropped": 0
  },
  {
    "time": "2020-05-25T18:01:01.120Z",
    "cid": "w1",
    "channel": "clustercomm",
    "level": "info",
    "message": "metric sender",
    "total": 715,
    "dropped": 2
  }
]

Choose this data format if your incoming data is formatted as key-value pairs, for example:

{
  "w1-1": {
    "time": "2020-05-25T18:00:54.201Z",
    "channel": "clustercomm",
    "level": "info",
    "message": "metric sender",
    "total": 720,
    "dropped": 0
  },
  "w1-2": {
    "time": "2020-05-25T18:01:01.120Z",
    "channel": "clustercomm",
    "level": "info",
    "message": "metric sender",
    "total": 715,
    "dropped": 2
  }
}

For the Key-Value Pair format, set the following:

  • Delimiter: Specify the character that separates fields in your incoming data.
  • Equals sign: Specify the character that separates keys and values.

Choose this data format if your incoming data is formatted as Parquet.

Choose this data format if your data is plain text that doesn’t fit any of the other formats, for example:

2025-10-12 09:15:32 ALERT user=jdoe action=login_failed from 10.1.2.3 (reason: bad password)
2025-10-12 09:15:33 INFO starting background sweep job
2025-10-12 09:15:34 WARNING cache nearly full (92%)

Raw Text is common for free-form logs where you care about a few specific fields rather than a full schema.

Use Additional Extractions to define regex, key-value, delimited, JSON, or XML extractions for the fields you need.

Choose this data format if your incoming data is formatted as XML, for example:

<logs>
  <log>
    <time>2020-05-25T18:00:54.201Z</time>
    <cid>w1</cid>
    <channel>clustercomm</channel>
    <level>info</level>
    <message>metric sender</message>
    <total>720</total>
    <dropped>0</dropped>
  </log>
  <log>
    <time>2020-05-25T18:01:01.120Z</time>
    <cid>w1</cid>
    <channel>clustercomm</channel>
    <level>info</level>
    <message>metric sender</message>
    <total>715</total>
    <dropped>2</dropped>
  </log>
</logs>

For the XML format, set the following:

  • Keep attributes: Enable to preserve XML attributes in parsed events.
  • Keep metadata: Enable to preserve XML metadata. Requires Keep attributes.
  • Values to remove: Enter values to filter out. Elements that match any of those values get dropped.
  • Transformer: Choose a preset to handle well-known XML formats:
    • Windows Event: Flatten Windows Event Log XML into searchable fields.
    • Apple P-list: Convert macOS plist XML into key-value pairs.

3. Set the Maximum Event Size

In Max Bytes, set the maximum size of a single event before it’s truncated.

3. Set Additional Extractions

Use Additional Extractions to run secondary parsers for extracting more fields or peeling layered payloads.

This feature is not supported for federated Datasets.

4. Set Timestamp Extraction

Configure how to find timestamps in your data.

Set the Extraction type:

  • Auto: Tries to detect the timestamp automatically. Set Scan depth to how many characters to scan after the anchor. Larger values are slower but may find timestamps farther into the event.
  • Manual: Provide the exact strptime format (for example, %Y-%m-%dT%H:%M:%S.%LZ). Use when you know the exact format of your timestamps, and it’s consistent.

Then, configure these settings:

SettingDescription
Time field
Field from which to extract the timestamp (for example, _raw). Leave blank to scan the entire event.
Default timezoneTimezone to apply when the extracted timestamp doesn’t include one. Defaults to UTC.
Earliest timestamp allowedOldest acceptable timestamp relative to now (for example, -1y). Timestamps older than this are clamped to this value. Use 0 to allow back to the Unix epoch (Jan 1, 1970).
Future timestamp allowedNewest acceptable timestamp relative to now (for example, +2d). Timestamps further in the future are clamped to this value.
Timestamp anchorRegex matching the text that immediately precedes the timestamp. Use $ to skip extraction.

5. Add Schema Maps

Normalize vendor-specific field names into one or more canonical schemas (ECS, OCSF, your own), while keeping the original fields for backward compatibility and troubleshooting.

Under Schema Maps, select Add Row, and configure:

  • Field Name: Name of the new field to add.
  • Kusto Expression: Kusto expression to populate the new field.

This feature is not supported for federated Datasets.

Example: ECSExample: OCSF
  • Field Name: source.ip
  • Source: src_ip
  • Input: src_ip: "10.0.0.1"
  • Output: src_ip: "10.0.0.1", source.ip: "10.0.0.1"
  • Field Name: event.outcome
  • Source: iif(action == "blocked", "failure", "success")
  • Input: action: "blocked"
  • Output: action: "blocked", event.outcome: "failure"

6. Add Fields to Events

Enrich incoming events with new computed fields.

Under Add fields to events, select Add Row, and configure:

  • Field Name: Name of the new field to add.
  • Kusto Expression: Kusto expression to populate the new field.

This feature is not supported for federated Datasets.

Example: Risk ScoreExample: Port Groups
  • Field Name: risk_score
  • Kusto Expression: case(severity == "critical", 100, severity == "high", 80, severity == "medium", 50, 20)
  • Input: severity: "critical"
  • Output: severity: "critical", risk_score: 100
  • Field Name: destination.port_group
  • Kusto Expression: iif(dst_port in (80, 443), "web", iif(dst_port in (22, 3389), "admin", "other"))
  • Input: dst_port: 443
  • Output: dst_port: 443, destination.port_group: "web"

Next Steps

Confirm with Save. Now, you’re ready to apply your custom v2 Datatype to your Datasets.

List of Stock v2 Datatypes

Cribl Search comes with a wide range of stock v2 Datatypes that automatically recognize and parse common log types. This list highlights some key supported types, but many others are available and applied automatically.

Log typeDatatype ID (datatype field added)Source data format
Apache Combined logsapache_httpd_accesslog_combined
Raw Text
Apache Common logsapache_httpd_accesslog_commonRaw Text
AWS Application Load Balancer Log Fieldsaws_alb_accesslogDelimited Text
AWS CloudFront access logsaws_cloudfront_accesslogDelimited Text
AWS Config configuration item change notificationsaws_configJSON Newline Delimited
AWS EC2 system logs (syslog with ISO 8601 prefix)aws_ec2Raw Text
AWS EKS Kubernetes control plane audit logs in JSON formataws_eks_auditJSON Newline Delimited
AWS Classic Elastic Load Balancing Log Fieldsaws_elb_accesslogDelimited Text
AWS GuardDuty finding events in JSON formataws_guarddutyJSON Newline Delimited
AWS Network Firewall logs (Suricata EVE JSON with AWS metadata)aws_network_firewallJSON Newline Delimited
AWS Network Load Balancer TLS access logsaws_nlb_accesslogDelimited Text
AWS RDS MySQL audit logs (MariaDB audit plugin format)aws_rds_audit_mysqlDelimited Text
AWS RDS PostgreSQL pgAudit logsaws_rds_audit_postgresqlRaw Text
AWS Route 53 public DNS query logs (space-delimited)aws_route53_publicDelimited Text
AWS Route 53 Resolver query logs in JSON formataws_route53_resolverJSON Newline Delimited
AWS S3 server access logsaws_s3_accessRaw Text
AWS Security Hub findings in ASFF formataws_security_hubJSON Newline Delimited
AWS VPC Flow Logs version 2aws_vpc_v2Delimited Text
AWS VPC Flow Logs version 5aws_vpc_v5Delimited Text
AWS WAF logs in JSON formataws_waf_log_jsonJSON Newline Delimited
Microsoft Azure Graph Security API alert events in JSON formatazure_graph_alertsJSON Newline Delimited
Microsoft Azure Graph API device records in JSON formatazure_graph_devicesJSON Newline Delimited
Microsoft Azure Graph API directory audit logs in JSON formatazure_graph_directory_auditsJSON Newline Delimited
Microsoft Azure Graph API sign-in logs in JSON formatazure_graph_signinsJSON Newline Delimited
Microsoft Azure Graph API user authentication registration details in JSON formatazure_graph_user_registrationJSON Newline Delimited
Microsoft Azure Graph API user profile records in JSON formatazure_graph_usersJSON Newline Delimited
Azure Network Security Group (NSG) Flow Logsazure_nsg_flowlog_jsonJSON Newline Delimited
Check Point firewall logs in native key:“value”; semicolon-delimited formatcheckpoint_firewallRaw Text
Check Point firewall logs wrapped in RFC5424 syslog formatcheckpoint_firewall_rfc_5424Raw Text
Cisco ASA syslog messages (ASA-* message IDs) with embedded event timestamp and various message formatscisco_asa_syslogRaw Text
Cisco eStreamer event logs (eNcore KVP format)cisco_estreamerKey-Value Pair
Cisco Firewall Services Module (FWSM) logscisco_fwsm_syslogRaw Text
Cisco Firewall Services Module (FWSM) syslog events (connection build/teardown, translations, denies)cisco_fwsm_v2Raw Text
Cisco IPS 4200 IDS/IPS alert events in comma-delimited key=value formatcisco_ips_alertKey-Value Pair
Cisco NetFlow v9 records exported with a syslog-like prefix and comma-separated key=“value” pairscisco_netflow_v9Raw Text
Cloudflare Zero Trust Access authentication events from Logpush in JSON formatcloudflare_access_requestJSON Newline Delimited
Cloudflare account audit logs from Logpush in JSON formatcloudflare_auditJSON Newline Delimited
Cloudflare firewall and WAF security events from Logpush in JSON formatcloudflare_firewall_eventJSON Newline Delimited
Cloudflare Zero Trust Gateway HTTP and network session logs from Logpush in JSON formatcloudflare_gatewayJSON Newline Delimited
Cloudflare Zero Trust Gateway DNS query logs from Logpush in JSON formatcloudflare_gateway_dnsJSON Newline Delimited
Cloudflare CDN HTTP request logs from Logpush in JSON formatcloudflare_http_requestJSON Newline Delimited
Cloudflare Workers trace events from Logpush in JSON formatcloudflare_workers_traceJSON Newline Delimited
Cloudflare Zero Trust network session telemetry from Logpush in JSON formatcloudflare_zero_trust_network_sessionJSON Newline Delimited
AWS CloudTrail digest files for log validationcloudtrail_digestJSON Newline Delimited
AWS CloudTrail event logs in JSON formatcloudtrail_eventJSON Newline Delimited
Confluent Cloud Kafka audit log events following CloudEvents v1.0 spec in JSON formatconfluent_auditJSON Newline Delimited
Cribl internal process logs in JSON formatcribl_internal_logsJSON Newline Delimited
Cribl Stream metrics data in JSON formatcribl_metricsJSON Newline Delimited
Exabeam Common Information Model (CIM) normalized events in JSON formatexabeam_cimJSON Newline Delimited
CrowdStrike Falcon Event Streams API events in JSON formatfalcon_eventsJSON Newline Delimited
CrowdStrike Falcon Data Replicator (FDR) sensor telemetry events in JSON formatfalcon_fdrJSON Newline Delimited
CrowdStrike Falcon Data Replicator (FDR) host/asset info records in JSON formatfalcon_fdr_aidmasterJSON Newline Delimited
CrowdStrike Falcon Data Replicator (FDR) external API events in JSON formatfalcon_fdr_external_apiJSON Newline Delimited
CrowdStrike Falcon REST API alert events in JSON formatfalcon_rest_alertsJSON Newline Delimited
CrowdStrike Falcon Hosts API device inventory events in JSON formatfalcon_rest_devicesJSON Newline Delimited
CrowdStrike Falcon Spotlight API vulnerability assessment events in JSON formatfalcon_rest_vulnerabilitiesJSON Newline Delimited
Fortinet FortiGate firewall logs in key=value format (FortiOS traffic/utm/event).fortinet_fortigate_syslogKey-Value Pair
Fortinet FortiGate firewall logs wrapped in a syslog PRI header followed by FortiOS key=value pairs.fortinet_fortigate_syslog_wrappedRaw Text
GCP Cloud Audit Logs in JSON formatgcp_audit_logsJSON Newline Delimited
GCP VPC Firewall Rules Logs in JSON formatgcp_firewallJSON Newline Delimited
GCP VPC Flow Logs in JSON formatgcp_vpc_flowJSON Newline Delimited
Generic CSV datageneric_csvDelimited Text
Generic space-delimited key=value pairsgeneric_kvpKey-Value Pair
Generic metrics datageneric_metricsRaw Text
Generic NDJSON datageneric_ndjsonJSON Newline Delimited
Generic tab-separated valuesgeneric_tsvDelimited Text
Generic XML contentgeneric_xmlXML
GitLab audit events from audit_json.log file for DevOps activity in JSON formatgitlab_audit_logJSON Newline Delimited
GitLab audit events via streaming (HTTP webhook) for DevOps activity in JSON formatgitlab_audit_streamingJSON Newline Delimited
Gong Revenue Intelligence Platform audit logs (UserActivityLog and AccessLog) in JSON formatgong_auditJSON Newline Delimited
Google Workspace Activity Reports in JSON formatgws_activity_reportsJSON Newline Delimited
Google Workspace Alert Center alerts in JSON formatgws_alertsJSON Newline Delimited
IBM AIX audit log events (AIX audit subsystem)ibm_aix_auditRaw Text
IBM Db2 audit CONTEXT events recording SQL statements and database operations such as COMMIT, ROLLBACK, CONNECT, and EXECUTE.ibm_db2_audit_contextDelimited Text
IBM Db2 audit OBJMAINT events recording object maintenance actions such as CREATE_OBJECT, DROP_OBJECT, and RENAME_OBJECT.ibm_db2_audit_objmaintDelimited Text
IBM Db2 audit SECMAINT events recording security maintenance actions such as GRANT, REVOKE, and IMPLICIT_GRANT of privileges and authorities.ibm_db2_audit_secmaintDelimited Text
IBM Db2 audit SYSADMIN events recording system administration actions such as DB2SET, DB2AUDIT, START_DB2, STOP_DB2, and GET_SNAPSHOT.ibm_db2_audit_sysadminDelimited Text
IBM Db2 audit VALIDATE events recording authentication and user validation activities such as AUTHENTICATION, CHECK_GROUP_MEMBERSHIP, and GET_USERID.ibm_db2_audit_validateDelimited Text
IBM i (OS/400) logs in syslog-like format with key/value pairsibm_os400_syslogRaw Text
IBM z/OS (OS/390) RACF audit events in syslog format with key-value payloadibm_racf_syslogRaw Text
Imperva SecureSphere Database Activity Monitor logs in CEF format with syslog prefiximperva_damRaw Text
Imperva Incapsula Cloud WAF logs in CEF formatimperva_incapsula_wafRaw Text
Infoblox logs in CEF (Common Event Format) formatinfoblox_cefRaw Text
Infoblox logs in CEF format with RFC 5424 syslog headerinfoblox_cef_rfc5424Raw Text
Infoblox logs in LEEF (Log Event Extended Format) formatinfoblox_leefRaw Text
Infoblox logs in LEEF format with RFC 5424 syslog headerinfoblox_leef_rfc5424Raw Text
Infoblox DNS/DHCP appliance logs in standard syslog formatinfoblox_syslogRaw Text
Infoblox DNS/DHCP appliance logs in BSD syslog format without PRI headerinfoblox_syslog_bsd_nopriRaw Text
Infoblox DNS/DHCP appliance logs with ISO 8601 timestampsinfoblox_syslog_iso8601Raw Text
ISC BIND9 named DNS query logsisc_bind_queryRaw Text
Linux auditd events (audit logs) including PATH, AVC, SERVICE_START, and CRED_ACQ recordslinux_auditd_logRaw Text
Microsoft DHCP Server events forwarded as MSWinEventLog syslog with tab-delimited payloadmicrosoft_dhcp_syslogRaw Text
Microsoft Windows DNS Server Service events in key=value style Windows Event Log export formatmicrosoft_dns_server_eventlogRaw Text
Microsoft IIS 7.5 W3C HTTP access logs (space-delimited fields)microsoft_iis_accesslogDelimited Text
Microsoft Windows Event Log (classic format)microsoft_windows_eventlog_classicRaw Text
Microsoft Windows Event Log (XML format)microsoft_windows_eventlog_xmlXML
MySQL/MariaDB server audit log in CSV format (timestamp, server host, user, client host, connection id, query id, operation, database, object/query, return code)mysql_server_auditDelimited Text
n8n workflow automation log streaming events in JSON formatn8n_log_streamingJSON Newline Delimited
NetApp filer cfoa event logs (weekday/month/day/time/tz prefix with bracketed cfoa event and severity)netapp_filer_cfoaRaw Text
NetApp log messages with leading weekday timestamp and bracketed event key and severitynetapp_filer_syslogRaw Text
Netskope alert events (DLP, malware, malicious site, policy) in JSON/NDJSON formatnetskope_alert_jsonJSON Newline Delimited
Netskope event logs (page, application, audit, infrastructure) in JSON/NDJSON formatnetskope_event_jsonJSON Newline Delimited
nginx access logs in combined (remote_addr - remote_user [time] “request” status bytes “referer” “user_agent”) formatnginx_accesslogRaw Text
Open Cybersecurity Schema Framework (OCSF) events in JSON formatocsfJSON Newline Delimited
Okta System Log events in JSON formatokta_system_logJSON Newline Delimited
OpenAI organization audit logs in JSON formatopenai_auditJSON Newline Delimited
OpenAI API completions usage data in JSON formatopenai_completionsJSON Newline Delimited
OpenAI organization cost data in JSON formatopenai_costsJSON Newline Delimited
OpenAI organization project data in JSON formatopenai_projectsJSON Newline Delimited
OpenAI organization user data in JSON formatopenai_usersJSON Newline Delimited
Palo Alto authentication logs in CSV formatpan_authentication_csvDelimited Text
Palo Alto authentication logs in syslog formatpan_authentication_syslogRaw Text
Palo Alto authentication logs in syslog format without PRI headerpan_authentication_syslog_nopriRaw Text
Palo Alto config logs in CSV formatpan_config_csvDelimited Text
Palo Alto config logs in syslog formatpan_config_syslogRaw Text
Palo Alto config logs in syslog format without PRI headerpan_config_syslog_nopriRaw Text
Palo Alto correlation logs in CSV formatpan_correlation_csvDelimited Text
Palo Alto correlation logs in syslog formatpan_correlation_syslogRaw Text
Palo Alto correlation logs in syslog format without PRI headerpan_correlation_syslog_nopriRaw Text
Palo Alto GlobalProtect logs in CSV formatpan_globalprotect_csvDelimited Text
Palo Alto GlobalProtect logs in syslog formatpan_globalprotect_syslogRaw Text
Palo Alto GlobalProtect logs in syslog format without PRI headerpan_globalprotect_syslog_nopriRaw Text
Palo Alto HIP match logs in CSV formatpan_hipmatch_csvDelimited Text
Palo Alto HIP match logs in syslog formatpan_hipmatch_syslogRaw Text
Palo Alto HIP match logs in syslog format without PRI headerpan_hipmatch_syslog_nopriRaw Text
Palo Alto IP tag logs in CSV formatpan_iptag_csvDelimited Text
Palo Alto IP tag logs in syslog formatpan_iptag_syslogRaw Text
Palo Alto IP tag logs in syslog format without PRI headerpan_iptag_syslog_nopriRaw Text
Palo Alto system logs in CSV formatpan_system_csvDelimited Text
Palo Alto system logs in syslog formatpan_system_syslogRaw Text
Palo Alto system logs in syslog format without PRI headerpan_system_syslog_nopriRaw Text
Palo Alto threat logs in CSV formatpan_threat_csvDelimited Text
Palo Alto threat logs in syslog formatpan_threat_syslogRaw Text
Palo Alto threat logs in syslog format without PRI headerpan_threat_syslog_nopriRaw Text
Palo Alto traffic logs in CSV formatpan_traffic_csvDelimited Text
Palo Alto traffic logs in syslog formatpan_traffic_syslogRaw Text
Palo Alto traffic logs in syslog format without PRI headerpan_traffic_syslog_nopriRaw Text
Palo Alto tunnel logs in CSV formatpan_tunnel_csvDelimited Text
Palo Alto tunnel logs in syslog formatpan_tunnel_syslogRaw Text
Palo Alto tunnel logs in syslog format without PRI headerpan_tunnel_syslog_nopriRaw Text
Proofpoint PPS native logs with full-month timestamps and space-delimited key=value fieldsproofpoint_pps_logRaw Text
Proofpoint PPS module/filter logs with ISO timestamps and process namesproofpoint_pps_moduleRaw Text
Proofpoint PPS sendmail/MTA queue logs with comma-delimited fieldsproofpoint_pps_sendmailRaw Text
Proofpoint TAP click events in JSON formatproofpoint_tap_clicksJSON Newline Delimited
Proofpoint TAP message events in JSON formatproofpoint_tap_messagesJSON Newline Delimited
Proofpoint TAP events in RFC5424 syslog formatproofpoint_tap_rfc5424Raw Text
Salesforce Event Log File ApexCallout events in CSV formatsalesforce_eventlogfile_calloutDelimited Text
Salesforce Event Log File ApexExecution events in CSV formatsalesforce_eventlogfile_executionDelimited Text
Salesforce Event Log File ApexRestApi events in CSV formatsalesforce_eventlogfile_restapiDelimited Text
Salesforce Login History records in JSON formatsalesforce_loginhistoryJSON Newline Delimited
Salesforce Setup Audit Trail records in JSON formatsalesforce_setupaudittrailJSON Newline Delimited
SentinelOne Cloud Funnel v1 EDR telemetry events in JSON formatsentinelone_cloudfunnel_v1JSON Newline Delimited
SentinelOne Cloud Funnel v2 EDR telemetry events in flat JSON formatsentinelone_cloudfunnel_v2JSON Newline Delimited
Slack Workspace Audit Logs from the Slack Audit Logs API in JSON formatslack_auditJSON Newline Delimited
Snort IDS/IPS alert logs in Snort fast alert format (non-syslog)snort_alert_fullRaw Text
Snort IDS/IPS alert logs in syslog formatsnort_alert_syslogRaw Text
Squid proxy access.log events (default native format)squid_accessRaw Text
IBM z/OS SMF records exported by Syncsort in JSON format (multiple SMF record types)syncsort_zos_smfJSON Newline Delimited
IBM z/OS SMF type 80 RACF security audit records exported by Syncsort in JSON formatsyncsort_zos_smf_racfJSON Newline Delimited
IBM z/OS SYSLOG records exported by Syncsort in JSON formatsyncsort_zos_syslogJSON Newline Delimited
Syslog RFC 3164 formatsyslog_rfc3164Raw Text
Syslog RFC 5424 formatsyslog_rfc5424Raw Text
HashiCorp Terraform Enterprise audit log events for infrastructure changes in JSON formatterraform_enterprise_auditJSON Newline Delimited
Trellix EDR endpoint detection events in JSON formattrellix_edr_eventJSON Newline Delimited
Trellix ePO device inventory data in JSON formattrellix_epo_deviceJSON Newline Delimited
Trellix ePO security events in JSON formattrellix_epo_eventJSON Newline Delimited
Trellix ePO group hierarchy data in JSON formattrellix_epo_groupJSON Newline Delimited
Trellix ePO syslog events in XML formattrellix_epo_syslog_xmlXML
Ubiquiti UniFi access point logs (mcad, hostapd, wevent, kernel)unifi_otherRaw Text
Ubiquiti UniFi station tracking daemon (stahtd) logs with STA_ASSOC_TRACKER eventsunifi_stahtdRaw Text
VMware NSX FABRIC logs in RFC5424 syslog format with NSX structured datavmware_nsx_fabric_rfcRaw Text
VMWare NSX Firewall logs in RFC5424 syslog format with NSX structured data and firewall packet message fieldsvmware_nsx_firewall_syslogRaw Text
VMware NSX ROUTING logs in RFC5424 syslog format with NSX structured datavmware_nsx_routing_rfcRaw Text
VMware NSX SYSTEM logs in RFC5424 syslog format with NSX structured datavmware_nsx_system_rfcRaw Text
WordPress activity logs from WP Activity Log plugin in JSON formatwordpress_activity_logJSON Newline Delimited
Workday user activity logs from the Activity Logging API in JSON formatworkday_activityJSON Newline Delimited
Workday sign-on and authentication logs in JSON formatworkday_signonJSON Newline Delimited
Zeek (Bro) network security monitor logs in JSON/NDJSON formatzeek_jsonJSON Newline Delimited
Zeek (Bro) network security monitor logs in TSV formatzeek_tsvDelimited Text
Zscaler Internet Access (ZIA) NSS alert messages in syslog formatzia_alertsRaw Text
Zscaler Internet Access (ZIA) firewall logs in CSV formatzia_csvDelimited Text
Zscaler Internet Access (ZIA) web logs in JSON format with nested event objectzia_jsonJSON Newline Delimited
Zscaler Internet Access (ZIA) firewall logs in TSV formatzia_tsvDelimited Text
Zscaler Private Access (ZPA) App Connector status logs in JSON formatzpa_app_connectorJSON Newline Delimited
Zscaler Private Access (ZPA) audit logs in JSON formatzpa_auditJSON Newline Delimited
Zscaler Private Access (ZPA) Browser Access logs in JSON formatzpa_browser_accessJSON Newline Delimited
Zscaler Private Access (ZPA) user activity logs in JSON formatzpa_user_activityJSON Newline Delimited
Zscaler Private Access (ZPA) user status logs in JSON formatzpa_user_statusJSON Newline Delimited
Zscaler Internet Access (ZIA) NSS web logs with custom delimiter formatzscaler_ziaRaw Text