How parsing works

Parsing is applied to a set of target strings on the system. These target strings are just textual data, typically received messages (but possibly other types of textual data). In all cases, the parse function you specify is replaced by the parsed value as the first step in processing or matching messages.

Three distinct types of parsing can occur on the system, documented in detail in the various parts of this section:

  • Parse By Field Number—You can simply specify the field number that is extracted from the target string, such as $3 being the third word of the target string. The leading $ can generally be omitted, but is always appropriate to include in the parse specification. This type of parsing is useful if the operator is working with highly structured data where the position of a particular word has a standard significance. In practice, this generally works with only a small set of very standardized messages.

  • Parse By Match Expression—You can specify a match expression, where the asterisk character in the match expression specifies the particular text string segment that is to be extracted. 

    Employing a parse expression such as User Name* returns the value that matches the asterisk character.This works with many different loosely structured data formats, especially messages in the standard BMC Defender Server format, as well as CEF, LEEF, and other common information formats. In practice, this technique gets used a lot for all types of structured and unstructured data.

  • Parse By Function—You can specify a more complex $parse() function that performs special processing of the message. A majority of the information in this section is related to this technique; each parse function supported by the BMC Defender Server system is documented in detail.

In all cases, the parse expression is replaced by the parsed value. Herein, this is called the returned value of the parse expression; this simply means that the parsed value replaces the user furnished parse expression. 

Example

When parsing by a field number such as $8, the $8 string is replaced by the eight word of the target string; when parsing by a $parse() function, the function is replaced by the parsed value.

The remaining portion of this section provides a description of each parse expression, its purpose and usage both as a parser and within a correlation rule. You should closely look at the examples of each second and might experiment with the match pattern using any of the facilities described above.

Related topic

Using-parse-expressions

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*