Field transformations allow you to remove fields. That’s probably what you’re looking for.
Simon > On 30 Oct 2018, at 19:03, Muhammed Irshad <irshadkt....@gmail.com> wrote: > > Thanks Otto. BasicISEParser worked well. Could you please elaborate more on > structured data ? Is it something in header or message field in syslog > message in my example ? Just to under stand the working of syslogparser > library in detail to extend in future. > Also can I filter fields when using BasicISEParser ? I know we can filter > message with stellar but can we filter fields ? Like index only interested > fields ? > >> On Tue, Oct 30, 2018 at 11:29 PM Otto Fowler <ottobackwa...@gmail.com> wrote: >> Per the spec which this is written to, if you don’t have structured data, >> you need to have a ‘-‘ marker. So this is not valid 5424. That is from a >> cursory look. >> Metron has a dedicated ISE parser, have you tried that? >> >> If you would like to have the parser have a setting to optionally accept >> missing structured data, you can open an issue @ >> https://github.com/palindromicity/simple-syslog-5424/issues >> If/when resolved there, a jira to pick up the change in metron can be logged. >> >> >> >>> On October 30, 2018 at 13:38:39, Muhammed Irshad (irshadkt....@gmail.com) >>> wrote: >>> >>> I am trying to test existing Syslog5424Parser with the logs from my >>> cisco:ise log data. I am getting the below error message under >>> MessageParserResult. Is the below format supported by existing syslog >>> parser ? Or can I configure it to support this format ? >>> >>> Message sample : >>> <182>1 2018-10-05T08:46:06+00:00 lxapp1492-admin.in.mycompany.com >>> CISE_Profiler 0038547765 1 0 2018-10-05 18:46:06.972 +10:00 0538115228 >>> 80002 INFO Profiler: Profiler EndPoint profiling event occurred, >>> ConfigVersionId=267, OperatingSystem=FreeBSD 10.0-CURRENT (accuracy 92%), >>> EndpointCertainityMetric=160, EndpointIPAddress=192.168.88.55, >>> EndpointMacAddress=F8:0D:60:FF:86:E5, EndpointMatchedPolicy=Canon-Printer, >>> >>> Error message : >>> com.github.palindromicity.syslog.dsl.ParseException: Syntax error @ 1:93 no >>> viable alternative at input '1' >>> >>> -- >>> Muhammed Irshad K T >>> Senior Software Engineer >>> +919447946359 >>> irshadkt....@gmail.com >>> Skype : muhammed.irshad.k.t > > > -- > Muhammed Irshad K T > Senior Software Engineer > +919447946359 > irshadkt....@gmail.com > Skype : muhammed.irshad.k.t
