This documentation and the Cisco Observability Platform functionalities it describes are subject to change. Data saved on the platform may disappear and APIs may change without notice.

Create Parsing Rules

Server-side log parsing rules enable solutions to extract fields from incoming log messages at the time of ingestion, which has many benefits:

  • It speeds up root cause analysis and reduces mean-time-to-resolution (MTTR). Instead of manually sifting through log messages to find relevant information, support teams can quickly filter log messages based on extracted fields and focus on the relevant log messages.
  • It allows solutions and end-users to leverage pre-defined extracted fields for searching, alerting, and creating dashboards.
  • By saving these rules on the server, solutions can standardize field names and searches, simplify the searches, improve search performance, and apply the same rules to new log sources and hosts.
Limitation: Currently, the platform doesn't support defining a logging solution. Instead, you can configure the Log Collector that is bundled with the Cisco Cloud Observability solution.

To create a parsing rule, add a MELT workflow of type logs:logParsingRule to your solution as follows:

  1. In <your-solution-name>/logs/objects/parsing-rule.json, add a MELT workflow of type logs:logParsingRule. This file can contain an array of MELT workflows of type logs:logParsingRule.

  2. Add the new MELT workflow(s) to your solution:

    1. Make the following changes to your solution manifest file (<your-solution-name>/manifest.json):

      1. In dependencies, add logs.
      2. In objects, add this snippet:
      {
    "type": "logs:logParsingRule",
    "objectsFile": "logs/objects/parsing-rule.json"
}

    2. Validate manifest.json with the command fsoc solution validate.

Enable or Disable a Parsing Rule

You enable or disable parsing rules individually in each logs:logParsingRule MELT workflow by setting its isEnabled attribute to true.