FCEFPARSER

Parses ArcSight Common Event Format (CEF) log files. This parser loads values directly into any table column with a column name that matches a source data key. The parser stores the data loaded into a flex table in a single VMap.

This parser is for use in Flex tables only. All flex parsers store the data as a single VMap in the LONG VARBINAR_raw__ column. If a data row is too large to fit in the column, it is rejected. Vertica supports null values for loading data with NULL-specified columns.

Syntax

FCEFPARSER ( [parameter-name='value'[,...]] )

Parameters

delimiter

Single-character delimiter.

Default: ' '

record_terminator

Single-character record terminator.

**Default ****value: **newline

trim

Boolean, specifies whether to trim white space from header names and key values.

Default: true

reject_on_unescaped_delimiter

Boolean, specifies whether to reject rows containing unescaped delimiters. The CEF standard does not permit them.

Default: false

Examples

The following example illustrates creating a sample flex table for CEF data, with two real columns, eventId and priority.

1. Create a flex table cefdata:

   => create flex table cefdata();
   CREATE TABLE
   

2. Load some basic CEF data, using the flex parser fcefparser:

   => copy cefdata from stdin parser fcefparser();
   Enter data to be copied followed by a newline.
   End with a backslash and a period on a line by itself.
   >> CEF:0|ArcSight|ArcSight|2.4.1|machine:20|New alert|High|
   >> \.
   

3. Use the maptostring() function to view the contents of your cefdata flex table:

   => select maptostring(__raw__) from cefdata;
                     maptostring
   -------------------------------------------------------------
    {
      "deviceproduct" : "ArcSight",
      "devicevendor" : "ArcSight",
      "deviceversion" : "2.4.1",
      "name" : "New alert",
      "severity" : "High",
      "signatureid" : "machine:20",
      "version" : "0"
   }
   
   
   (1 row)
   

4. Select some virtual columns from the cefdata flex table:

   
   = select deviceproduct, severity, deviceversion from cefdata;
    deviceproduct | severity | deviceversion
   ---------------+----------+---------------
    ArcSight      | High     | 2.4.1
   (1 row)
   

   For more information, see Common event format (CEF) data

   See also

   • FAVROPARSER
   • FCSVPARSER
   • FDELIMITEDPARSER
   • FDELIMITEDPAIRPARSER
   • FJSONPARSER
   • FREGEXPARSER