Parsers Management

A parser is a sequence of commands or a declaration in a supported coding system that converts script output to tabular data in one of the data collection tables. Job execution systems use parsers to normalize information retrieved from various devices into a common format for readable analysis.

Creating a new Parser

You can create a new parser to support custom data parsing by performing the following steps.

1. Log in with an Administrator account.
2. Navigate to Management > Parsers and click the Add button.

3. Click on the parameter name for details about each or follow the guidance provided here:

   • Name:
   • Description:

   • Type: Parser type defines the language or interpreter system that executes the parser. The following types are available:

     • Empty - the empty parser does not process input and does not generate analytical data

     • Groovy - the Groovy parser accepts Groovy input and converts it to tabular data

     • JSON - the JSON Query Language parser accepts JSON input and converts it to tabular data

     • UTAH - Unstructured Text Analytical Handler (UTAH) parser accepts unstructured text output and converts it to tabular data

     • XSLT - XSLT parser accepts XML documents and converts them to tabular data

   • Code: Parser code is a structural or declarative program in the language defined by the parser type to convert script output to data stored in the system tables.

   • Destination: Parser destination defines the object that contains structured parser output for consequent analysis. The parser should process the script output to produce object values map of the selected destination. The following options are available:

     • OS: The OS object represents information about a device. The object contains the following attributes:

       • name - Device name
       • os - Operating System
       • os-version - Operating system version
         
         

     • Interface: Interface object represents device network interfaces. The object contains the following attributes:

       • interface - Interface name
       • flags - Flags
       • flag-names - Flag names
       • options - Options
       • option-names - Option names
       • mtu - MTU (The maximum transfer unit)
       • ether - Ethernet ID (MAC)
       • inet - IPv4 address
       • netmask - IPv4 netmask
       • broadcast - IPv4 broadcast
       • inet6 - IPv6 address
       • media - Interface media
       • status - Interface status (active / inactive)
         
         

     • Workload: The workload object represents device workloads. A workload is a service that listens for incoming connections on certain addresses and ports. The object contains the following attributes:

       • address - Listening address
       • port - Listening port
       • process - Process name or some other ID
         
         

     • Connection: Connection object represents established connections between remote workloads. The object contains the following attributes

       • source-address - Source address
       • source-port - Source port
       • target-address - Target address
       • target-port - Target port
         
         

     • Firewall: Firewall object represents device firewall configuration. The object contains the following attributes:

       • port - Port
       • application - Application
       • direction - Direction (in- or out-bound)
       • reject-type - Reject type (drop packet, return reject)
       • status - Status (accept or reject)

   • Terminology: Parser terminology is a taxonomy that defines mapping of device specific tokens extracted by a parser to common terms expected by the application.
     
     Taxonomy usable for parser terminology has to include two levels of terms. On the high level, terms should define keys that a parser produces (examples are process for Workload or action for Firewall). Each key might include multiple entries for key values (such as Allow, Drop and Reject for firewall actions). Each term in the terminology taxonomy hierarchy might include multiple synonyms that provide the actual translation from the extracted token found in synonyms to the common terminology defined by the main name of the term.
     
     For example, action term for Firewall taxonomy might include a term Deny with synonyms deny, reject, %%REJECT%% to accommodate different wordings used by various firewall systems to designate the same Deny action.

   • Qualifier: Parser qualifier defines parameters to enhance data parsed from the scripts executed on the network devices to produce metadata about the collected data.

   • Test Parser: Allows parser data to be tested in this form.
     • Sample Data: enter sample data for to test your parser configuration. Click the Test Parser button to execute the test.
     • Test Result: test result will be generated in this read-only field.