Parsers and Generated Fields | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Search Archives Contacting Support

Parsers and Generated Fields

Tag Fields Created by Parser paloalto-prisma-sdwan

#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type

Fields Identified by Parser paloalto-prisma-sdwan

Vendor Field	CPS Field	Description
`event.category[]`	Array	Vendor.zbfw_classification_rules, Vendor.flow_event, error.code, Vendor.MSG, log.syslog.appname
`event.type[]`	Array	Vendor.zbfw_classification_rules, Vendor.flow_event, Vendor.MSG, log.syslog.appname
`network.bytes`	Calculated	source.bytes, destination.bytes
`network.packets`	Calculated	source.packets, destination.packets
`destination.address`	Coalesced	Vendor.dst_ip, Vendor.DST_IP, Vendor.REMOTE_IP
`destination.bytes`	Coalesced	Vendor.bytes_recvd, Vendor.BYTES_SENT
`destination.packets`	Coalesced	Vendor.pkts_sent, Vendor.PKTS_SENT
`destination.port`	Coalesced	Vendor.dst_port, Vendor.DST_PORT
`log.level`	Coalesced	Vendor.Severity, Vendor.SEVERITY
`observer.hostname`	Coalesced	Vendor.CLOUDGENIX_HOST, Vendor.ION_HOST
`source.address`	Coalesced	Vendor.src_ip, Vendor.SRC_IP
`source.bytes`	Coalesced	Vendor.bytes_sent, Vendor.BYTES_RECVD
`source.packets`	Coalesced	Vendor.pkts_sent, Vendor.PKTS_RECVD
`source.port`	Coalesced	Vendor.src_port, Vendor.SRC_PORT
`user.name`	Coalesced	Vendor.user, Vendor.USER
`client.ip`	Conditional	client.address
`destination.ip`	Conditional	destination.address
`event.dataset`	Conditional	Vendor.STATUS, Vendor.FACILITY
`event.outcome`	Conditional	Vendor.STATUS, Vendor.MSG, log.syslog.appname
`event.severity`	Conditional	log.level
`server.ip`	Conditional	server.address
`source.ip`	Conditional	source.address
`client.address`	Copied	source.address
`client.bytes`	Copied	source.bytes
`client.packets`	Copied	source.packets
`client.port`	Copied	source.port
`destination.domain`	Copied	Vendor.REMOTE_HOSTNAME
`error.code`	Copied	Vendor.CODE
`event.created`	Copied	Vendor.DEVICE_TIME
`event.id`	Copied	Vendor.IDENTIFIER
`event.reason`	Copied	Vendor.REASON
`host.name`	Copied	Vendor.DeviceName
`log.syslog.facility.name`	Copied	Vendor.FACILITY
`log.syslog.severity.name`	Copied	Vendor.SEVERITY
`network.application`	Copied	Vendor.app_name
`network.transport`	Copied	Vendor.protocol_name
`process.name`	Copied	Vendor.PROCESS_NAME
`process.pid`	Copied	Vendor.ProcessID
`server.address`	Copied	destination.address
`server.bytes`	Copied	destination.bytes
`server.domain`	Copied	destination.domain
`server.packets`	Copied	destination.packets
`server.port`	Copied	destination.port
`source.domain`	Copied	Vendor.NAME
`event.action`	Extracted	Vendor.MSG, Vendor.zbfw_classification_rules
`log.syslog.appname`	Extracted	@rawstring, Vendor.MSG
`log.syslog.hostname`	Extracted	@rawstring
`log.syslog.priority`	Extracted	@rawstring
`log.syslog.procid`	Extracted	@rawstring
`log.syslog.version`	Extracted	@rawstring
`observer.ip[0]`	Extracted	@rawstring
`@timestamp`	Parsed	Vendor.event_time, __ts, Vendor.DEVICE_TIME
`ecs.version`	Static	None
`event.kind`	Static	None
`event.module`	Static	None
Vendor.zbfw_classification_rules	__tmp_zbfw_rules
source.address	client.address
source.bytes	client.bytes
source.packets	client.packets
source.port	client.port
Vendor.REMOTE_HOSTNAME	destination.domain
Vendor.CODE	error.code
Vendor.MSG	event.action
Vendor.DEVICE_TIME	event.created
Vendor.IDENTIFIER	event.id
Vendor.REASON	event.reason
Vendor.DeviceName	host.name
Vendor.FACILITY	log.syslog.facility.name
Vendor.SEVERITY	log.syslog.severity.name
Vendor.app_name	network.application
source.bytes	network.bytes
source.packets	network.packets
Vendor.protocol_name	network.transport
Vendor.PROCESS_NAME	process.name
Vendor.ProcessID	process.pid
destination.address	server.address
destination.bytes	server.bytes
destination.domain	server.domain
destination.port	server.port
Vendor.NAME	source.domain

Enter search term