FCEFPARSER
Parses ArcSight Common Event Format (CEF) log files. The fcefparser loads values directly into any table column with a column name that matches a source data key. The parser stores the data loaded into a flex table in a single VMap.
Syntax
FAVROPARSER ( [parameter-name='value'[,...]] )
Parameters
delimiter |
Single-character delimiter. Default: |
record_terminator |
Single-character record terminator. **Default ****value: ** |
trim |
Boolean, specifies whether to trim white space from header names and key values. Default: |
reject_on_unescaped_delimiter |
Boolean, specifies whether to reject rows containing unescaped delimiters. The CEF standard does not permit them. Default: |
Examples
The following example illustrates creating a sample flex table for CEF data, with two real columns, eventId and priority.
-
Create a flex table
cefdata:=> create flex table cefdata(); CREATE TABLE -
Load some basic CEF data, using the flex parser
fcefparser:=> copy cefdata from stdin parser fcefparser(); Enter data to be copied followed by a newline. End with a backslash and a period on a line by itself. >> CEF:0|ArcSight|ArcSight|2.4.1|machine:20|New alert|High| >> \. -
Use the
maptostring()function to view the contents of yourcefdataflex table:=> select maptostring(__raw__) from cefdata; maptostring ------------------------------------------------------------- { "deviceproduct" : "ArcSight", "devicevendor" : "ArcSight", "deviceversion" : "2.4.1", "name" : "New alert", "severity" : "High", "signatureid" : "machine:20", "version" : "0" } (1 row) -
Select some virtual columns from the
cefdataflex table:= select deviceproduct, severity, deviceversion from cefdata; deviceproduct | severity | deviceversion ---------------+----------+--------------- ArcSight | High | 2.4.1 (1 row)For more information, see Common event format (CEF) data
See also