Parsers and Generated Fields
Tag Fields Created by Parser purestorage-flashblade
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser purestorage-flashblade
| Source Field | CPS Field | Description | Mapping |
|---|---|---|---|
| Vendor.syslog.timestamp | @timestamp | Event timestamp | Parsed from syslog timestamp using MMM [ ]d HH:mm:ss format |
| None | ecs.version | ECS schema version | Static value: 9.3.0 |
| Vendor.ErrorMessage | error.message | Error message description | Copied from Vendor.ErrorMessage |
| Vendor.SuggestedAction, Vendor.Action, Vendor.ACTION | event.action | Action taken or suggested | Copied from Vendor.SuggestedAction or lowercase Vendor.Action or Vendor.ACTION |
| log.logger | event.category[] | Event categorization | Array populated based on log.logger conditions |
| Vendor.FirstSeenArray, Vendor.Time, Vendor.UTC_Time, Vendor.time | event.created | Event creation time | Copied from various timestamp fields using coalesce |
| Vendor.u_sid | event.hash | Event hash identifier | Copied from lowercase Vendor.u_sid |
| Vendor.AlertID, Vendor.GUID, Vendor.EventID, Vendor.eid | event.id | Unique event identifier | Copied from various ID fields using coalesce |
| None | event.kind | Event classification | Static value: event |
| None | event.module | Module identifier | Static value: flashblade |
| Vendor.result, Vendor.SUCCESS | event.outcome | Event outcome status | Mapped from Vendor.result or Vendor.SUCCESS |
| Vendor.AlertMessage, Vendor.ErrorMessage | event.reason | Event reason description | Copied from alert or error message using coalesce |
| Vendor.Knowledgebase | event.reference | Reference URL for more information | Copied from Vendor.Knowledgebase |
| Vendor.AuditID | event.sequence | Event sequence number | Copied from Vendor.AuditID |
| Vendor.SeverityText | event.severity | Event severity level | Mapped from Vendor.SeverityText to numeric values |
| Vendor.FirstSeenUTC | event.start | Event start time | Copied from Vendor.FirstSeenUTC |
| None, event.action | event.type[] | Event type classification | Static value: info or conditional based on event.action |
| Vendor.fs | file.name | File system name | Copied from Vendor.fs |
| Vendor.path | file.path | File path | Copied from Vendor.path |
| Vendor.f_type | file.type | File type | Copied from Vendor.f_type |
| Vendor.Host, log.syslog.hostname | host.hostname | Host identifier | Copied from Vendor.Host or log.syslog.hostname, converted to lowercase |
| @rawstring | log.logger | Logger name | Extracted from syslog header using regex or static assignment |
| @rawstring | log.syslog.hostname | Syslog hostname | Extracted from syslog header using regex |
| @rawstring | log.syslog.priority | Syslog priority value | Extracted from syslog header using regex |
| Vendor.Message | message | Original message content | Copied from Vendor.Message |
| Vendor.Host | observer.hostname | Observer hostname | Copied from Vendor.Host |
| Vendor.DeviceID | observer.serial_number | Observer device serial number | Copied from Vendor.DeviceID |
| Vendor.PurityVersion | observer.version | Observer software version | Copied from Vendor.PurityVersion |
| Vendor.Arguments | process.args[] | Process arguments array | Split from Vendor.Arguments by spaces |
| Vendor.Subcommand | process.command_line | Command line executed | Copied from Vendor.Subcommand |
| Vendor.Command | process.name | Process name | Copied from Vendor.Command |
| Vendor.FROM | source.address | Source address | Copied from lowercase Vendor.FROM |
| source.address | source.domain | Source domain name | Copied from source.address if not IP |
| Vendor.Location, Vendor.client_ip, source.address | source.ip | Source IP address | Copied from Vendor.Location, Vendor.client_ip, or source.address if IP |
| Vendor.User, Vendor.USER | user.name | Username | Copied from Vendor.User or Vendor.USER |