Help Center> SecMaster> User Guide> Settings> Data Collection> Collection Management> Managing Parsers
Updated on 2023-12-22 GMT+08:00
View PDF

Managing Parsers

Scenario

This topic describes how to perform the following operations: Creating a Parser, Viewing Parsers, Importing a Parser, Editing a Parser, Exporting a Parser, and Deleting a parser.

Creating a Parser

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 2 Accessing the Parsers tab page

  5. Customize a parser or create a parser from a template.

    • Customizing a parser
      1. On the Parsers tab page, click Add.
      2. On the Parsers tab page, set parameters.
        Table 1 Parameters for adding a parser

        Parameter

        Description

        Basic Information

        Parser Name

        Set the parser name.

        Description

        Enter the parser description.

        Rule list

        Set the parsing rule of the parser. Perform the following steps:

        1. Click Add and select a rule type.
          • Parsing rules: Select the parsing rule of the parser. You can select UUID, kv, mutate, grok, date, drop, prune, CSV, or JSON rules.
          • Conditional control: Select the conditions for the parser. You can select If, Else, or Else if.
        2. Set parameters based on the selected rule.
      3. After the setting is complete, click OK in the lower right corner of the page to confirm the setting.
    • Creating a parser from a template
      1. On the Parsers tab page, click the Templates tab.
      2. On the displayed page, locate the row that contains the target template, click Created by Template in the Operation column.
        Figure 3 Creating a parser from a template
      3. On the Parsers tab page, set parameters.
        Table 2 Parameters for adding a parser

        Parameter

        Description

        Basic Information

        Parser Name

        Parser name, which is automatically generated by the system based on the template and can be changed.

        Description

        Parser description, which is automatically generated by the system based on the template and can be modified.

        Rule list

        Parsing rule, which is automatically generated by the system based on the template and can be modified.

        To add a rule, click Add, select a rule type, and set parameters based on the selected rule.

        • Parsing rules: Select the parsing rule of the parser. You can select UUID, kv, mutate, grok, date, drop, prune, CSV, or JSON rules.
        • Conditional control: Select the conditions for the parser. You can select If, Else, or Else if.
      4. After the setting is complete, click OK in the lower right corner of the page to confirm the setting.

Viewing Parsers

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 4 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 5 Accessing the Parsers tab page

  5. On the Parsers page, view the detailed information about parsers.

    Table 3 Parsers parameters

    Parameter

    Description

    Parser Name

    Name of the parser.

    Reference Channels

    Number of channels referenced by the parser.

    Description

    Description of the parser.

    Operation

    You can edit and delete parsers.

  6. On the parser management page, click the Templates tab. The Templates page is displayed.
  7. On the templates page, view the parser template information.

    Table 4 Parser template parameters

    Parameter

    Description

    Template Name

    Name of a parser template

    Description

    Description of the parser template

    Operation

    You can create a parser template.

Importing a Parser

  • Only .json files no larger than 1 MB can be imported.
  • A maximum of five parser files can be imported at a time, and each parser file can contain a maximum of 100 parsers.
  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 6 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 7 Accessing the Parsers tab page

  5. On the Parser List page, click Import in the upper left corner of the parser list.
  6. In the displayed Import dialog box, click Select File and select the JSON file you want to import.

    • Only .json files no larger than 1 MB can be imported.
    • A maximum of five parser files can be imported at a time, and each parser file can contain a maximum of 100 parsers.

  7. Click Confirm.

    After the parsers are imported, you can view the imported parser information in the parser list.

Editing a Parser

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 8 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 9 Accessing the Parsers tab page

  5. On the Parser Management tab page, locate the row containing your desired parser and click Edit in the Operation column.
  6. In the Edit Parser dialog box, edit the parser information.

    Table 5 Editing a parser

    Parameter

    Description

    Basic Information

    Parser Name

    Set the parser name.

    Description

    Enter the parser description.

    Rule list

    Set the parsing rule of the parser. Perform the following steps:

    Click Add and select a rule type.

    • Parsing rules: Select the parsing rule of the parser.
    • Conditional control: Select the conditional control principle of the parser.

  7. After the setting is complete, click OK in the lower right corner of the page to confirm the setting.

Exporting a Parser

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 10 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 11 Accessing the Parsers tab page

  5. On the Parser List page, select the parsers you want to export and click Export above the list.

    The system automatically downloads the parser file in .json format to the local PC.

Deleting a parser

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 12 Workspace management page

  4. In the navigation pane on the left, choose Settings > Collectors. On the displayed page, click the Parsers tab.

    Figure 13 Accessing the Parsers tab page

  5. On the Parsers page, locate the row that contains the target parser and click Delete in the Operation column.
  6. In the displayed dialog box, click OK.
Parent topic: Collection Management