Parsing Rules Raw Dataset

Each vendor and product has its own raw dataset with its own default format that can be overridden in an INGEST section.
Parsing Rules requires a Cortex XDR Pro per TB license.
Each vendor and product has its own raw dataset that uses the format
<vendor>_<product>_raw
. For example, for Palo Alto Networks Next-Generation Firewall, the dataset is called
panw_ngfw_raw
. This raw dataset by default keeps all raw logs, whether ingested or dropped for other datasets.
You can override the default raw dataset, by creating an
INGEST
section referring to that dataset. For example, the following syntax overrides the
panw_ngfw_raw
automatic Parsing Rule.
[ingest:vendor=panw, product=ngfw, dataset=panw_ngfw_raw] filter ... | alter ...;
Code copied to clipboard
Unable to copy due to lack of browser support.

Recommended For You