Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser cisco-meraki

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser cisco-meraki

Source Field	CPS Field	Description	Mapping
@rawstring, Vendor.ts, Vendor.occurredAt	@timestamp	Event timestamp	Parsed from various timestamp formats using parseTimestamp()
client.ip, client.domain	client.address	Client network address	Conditional assignment based on IP validation or domain fallback
Vendor.clientDescription	client.domain	Client domain name	Copied and lowercased from Vendor.clientDescription
Vendor.client_ip, Vendor.clientIp, Vendor.eventData.client_ip, Vendor.eventData.ip	client.ip	Client IP address	Copied from various vendor client IP fields
Vendor.client_mac, Vendor.clientMac	client.mac	Client MAC address	Copied and normalized from vendor MAC fields with colon-to-dash replacement
destination.ip, destination.domain	destination.address	Destination network address	Conditional assignment based on IP validation or domain fallback
Vendor.eventData.local_as	destination.as.number	Destination AS number for BGP events	Copied from Vendor.eventData.local_as
Vendor.dst, Vendor.destIp, Vendor.eventData.router	destination.ip	Destination IP address	Extracted from various vendor fields using regex or direct copy
Vendor.dhost	destination.mac	Destination MAC address	Copied and normalized from vendor destination MAC fields
Vendor.dport, destination.port	destination.port	Destination port number	Extracted from vendor fields using regex or direct copy
None	ecs.version	ECS version	Static value: 9.2.0
Vendor.eventData.error_code	error.code	Error code for BGP events	Copied from Vendor.eventData.error_code
Vendor.eventData.desc	error.message	Error message for BGP events	Copied from Vendor.eventData.desc
_event_subtype, Vendor.type, Vendor.eventType	event.action	Action performed	Derived from _event_subtype or Vendor.type/eventType
None	event.category[]	Event categories	Array populated based on event type and conditions
None	event.dataset	Dataset identifier	Static value based on log source and event type
Vendor.activeTime	event.duration	Event duration	Copied from Vendor.activeTime
None	event.kind	Event kind	Static value: event or alert based on conditions
None	event.module	Event module	Static value: meraki
Vendor.description, Vendor.message, syslog.message	event.original	Original event message	Copied from various vendor message fields
Vendor.connectivity, Vendor.blocked, _outcome	event.outcome	Event outcome	Derived from various conditions and vendor fields
Vendor.priority	event.severity	Event severity	Mapped from Vendor.priority using priority levels
_event_subtype, Vendor.action	event.type[]	Event types	Array populated based on event conditions and _event_subtype
Vendor.sha256, Vendor.fileHash	file.hash.sha256	File SHA256 hash	Copied and lowercased from vendor hash fields
Vendor.name	file.name	File name	Copied from Vendor.name
Vendor.fileSizeBytes	file.size	File size in bytes	Copied from Vendor.fileSizeBytes
Vendor.fileType	file.type	File type	Copied from Vendor.fileType
Vendor.clientDescription	host.hostname	Host hostname	Copied and lowercased from Vendor.clientDescription
Vendor.clientId	host.id	Host identifier	Copied from Vendor.clientId
Vendor.eventData.client_ip, Vendor.clientIp, Vendor.eventData.ip	host.ip[]	Host IP addresses	Array populated from various vendor IP fields
Vendor.clientMac, _temp_mac	host.mac[]	Host MAC addresses	Array populated from normalized vendor MAC fields
Vendor.http_method	http.request.method	HTTP request method	Copied from Vendor.http_method
@rawstring	log.syslog.appname	Syslog application name	Extracted from syslog header using regex
@rawstring	log.syslog.hostname	Syslog hostname	Extracted from syslog header using regex
@rawstring	log.syslog.priority	Syslog priority	Extracted from syslog header using regex
@rawstring	log.syslog.version	Syslog version	Extracted from syslog header using regex
Vendor.application	network.application	Network application	Copied from Vendor.application
Vendor.sent, Vendor.recv	network.bytes	Total network bytes	Calculated from Vendor.sent + Vendor.recv
Vendor.direction	network.direction	Network traffic direction	Copied from Vendor.direction
Vendor.forwarded_ip	network.forwarded_ip	Forwarded IP address	Copied from Vendor.forwarded_ip
Vendor.ssid, Vendor.networkId	network.name	Network name	Copied from various vendor fields
Vendor.flows	network.packets	Network packets count	Copied from Vendor.flows
Vendor.protocol	network.protocol	Network protocol	Copied and lowercased from vendor protocol fields
network.protocol	network.transport	Network transport protocol	Extracted from protocol normalization (tcp/ip to tcp, udp)
source.ip	network.type	Network type (ipv4/ipv6)	Determined from IP address format using CIDR matching
Vendor.vlan_id, Vendor.eventData.vlan	network.vlan.id	VLAN identifier	Copied from various vendor VLAN fields
_temp_mac	observer.mac[]	Observer MAC addresses	Array populated from normalized device MAC
Vendor.deviceName	observer.name	Observer device name	Copied from Vendor.deviceName
Vendor.deviceSerial	observer.serial_number	Observer serial number	Copied from Vendor.deviceSerial
None	observer.type	Observer type	Static value based on event type
Vendor.classification	rule.category	Rule category	Copied from Vendor.classification
Vendor.message	rule.description	Rule description	Copied from Vendor.message
Vendor.signature	rule.id	Rule identifier	Copied from Vendor.signature
Vendor.message	rule.name	Rule name	Copied from Vendor.message
Vendor.ruleId	rule.reference	Rule reference	Copied from Vendor.ruleId
server.ip, server.domain	server.address	Server network address	Conditional assignment based on IP validation or domain fallback
Vendor.url	server.domain	Server domain from URL	Parsed from URL host
Vendor.server, Vendor.original_server_ip	server.ip	Server IP address	Copied from various vendor server fields
Vendor.server_mac, Vendor.original_server_mac	server.mac	Server MAC address	Copied and normalized from vendor server MAC fields
Vendor.serverport	server.port	Server port number	Copied from Vendor.serverport
source.ip, source.domain	source.address	Source network address	Conditional assignment based on IP validation or domain fallback
Vendor.eventData.remote_as	source.as.number	Source AS number for BGP events	Copied from Vendor.eventData.remote_as
Vendor.src, Vendor.srcIp, Vendor.translated_src_ip	source.ip	Source IP address	Copied from various vendor source fields
Vendor.mac, Vendor.src, Vendor.clientMac	source.mac	Source MAC address	Copied and normalized from various vendor MAC fields
Vendor.sport, Vendor.translated_port	source.port	Source port number	Copied from various vendor port fields
Vendor.message	threat.indicator.description	Threat indicator description	Copied from Vendor.message
destination.ip	threat.indicator.ip	Threat indicator IP	Copied from destination.ip
network.transport	tls.version	TLS version	Extracted from regex pattern
url.original	url.domain	URL domain	Parsed from URL and lowercased
Vendor.url, Vendor.uri	url.original	Original URL	Copied from various vendor URL fields
url.original	url.path	URL path	Parsed from URL
url.original	url.query	URL query parameters	Parsed from URL
url.original	url.scheme	URL scheme	Parsed from URL
Vendor.username, user.name	user.name	Username	Copied from various vendor username fields
Vendor.agent	user_agent.original	Original user agent string	Copied from Vendor.agent

Enter search term