This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Parse content issue

Go to solution
Vardhan47
Visitor

‎13 Jun 2025 08:32 PM - edited ‎13 Jun 2025 08:37 PM

HI All,

I`m getting syslogs from 2 different devices, which there is slight vary in the data due to which i`m not able to parse both logs in the same query as either 1 will give "data" & other will show as "null"

I`m looking for output for the field "category" but unable to parse both at the same time in single query but able to get the desired output on separate queries.

1) content in syslog example as below where "Category" field is in middle and if i use "," getting the desired output on this case

Sample Raw log
Initiator=Source, Category=block, Client=application

fetch logs
| parse content, """ DATA ',' MOF LD "Category" PUNCT ld:Category ',' """

>>Output for Category field is 
block

2) content in syslog example as below where its ending with "Category:block" so if i use ',' its returning as null,Since there is no "," parameter for the "Category" field . So in parse content if left it as empty then output is returning as expected a below

Initiator:Source, Category:block

fetch logs
| parse content, """ DATA ',' MOF LD "Category" PUNCT ld:Category"""

>>Output for Category field is 
block

 

I want both conditions to be parsed in same query, with some conditional parameters 

And the field "Category" consists other values such as "block" or "Geo block" or "geo-state_block" with the special characters inbetween like "space,-,_ ".

 

I`m using PUNCT here as common to ignore ":" and "=" as both logs are from different devices logs 

So i want the output for the category field for different syslogs in same query without loosing any data,

Kindly advise.

Labels:
0 Kudos
Reply
2 REPLIES 2

Go to solution
marco_irmer
Champion

‎13 Jun 2025 10:33 PM

Conditional logic can get messy when you're trying to use the parse command at query time. This is especially true when there are inconsistencies in the underlying data format (or you try to parse multiple data formats in a single run).

My recommendation is to parse the logs on ingest time, where you can specify conditions to control which parsing logic is applied. This would be done either via the Log Processing settings (Classic approach), or within Openpipeline. 

Using the parse on ingest approach will give you better flexibility overall and while also removing complexity from your queries.

0 Kudos
Reply

Go to solution
Vardhan47
Visitor

‎07 Jul 2025 08:20 AM

Hi @marco_irmer,
I managed to fix it on parsing different type of conditions using a different names & using the if condition in the fieldsAdd.

0 Kudos
Reply
Ask a question

Featured Posts