Parsing Rules File Structure and Syntax

The Parsing Rules file consists of multiple sections of three types, which also represent the custom syntax specific to Parsing Rules.
Parsing Rules requires a Cortex XDR Pro per TB license.
File Structure
The Parsing Rules file consists of multiple sections of these three types, which also represent the custom syntax specific to Parsing Rules.
  • CONST—(
    Optional
    ) This section is used to define strings and numbers that can be re-used multiple times within XQL statements in other
    INGEST
    sections by using
    $constName
    .
  • INGEST—This section is used to define the resulting Parsing Rule.
  • RULE—(
    Optional
    ) Rules are part of the XQL syntax, which are tagged with a name, and can be reused in the code in the
    INGEST
    sections by using
    [rule:ruleName]
    .
The order of the sections is unimportant. The data of each section type gets grouped together during the parsing stage. Before any action takes place all
CONST
sections are grouped together, all
RULE
objects are grouped together, and all
INGEST
objects are collected to the same list.
Syntax
The syntax used in the Parsing Rules file is derived from XQL, but with a few modifications. This subset of XQL is called XQL for Parsing (XQLp).
For more information on the XQL syntax, see Cortex XDR XQL Language Reference.
The
CONST
,
INGEST
, and
RULE
syntax is derived from XQL, but with the following modifications for XQLp.
  • A statement never starts with dataset or preset selection. The query's data source is meaningless. It is transparent to the user where the raw logs are coming from, fully handled by the system.
  • Only the following XQL stages are permitted:
    filter
    ,
    alter
    ,
    join
    , and
    fields
    . In addition, a new
    call
    stage is supported, which is used to invoke another rule.
  • No
    output
    stages are supported.
  • A
    Rule
    object can only contain a single statement.
  • A
    join inner
    query is restricted to using a lookup as a data source and only supported in XQLp stages.
    There is no default lookup, so all
    join inner
    queries must start with
    dataset=<lookup> | ...
    .
  • CONST
    reference (
    $MY_CONST
    ) is supported.
  • An
    IN
    condition can only take a sequence list, such as
    device_name in (“device1”, “device2”, “device3”)
    and not another XQL or XQLp
    inner
    queries.
C-Type code comments can be used anywhere throughout the Parsing Rules file.
// line comment /* inner comment */
Code copied to clipboard
Unable to copy due to lack of browser support.
Every statement in the Parsing Rules file must end with a semicolon (
;
).

Recommended For You