Troubleshooting Parsing Rules Errors - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Learn how to easily identify and resolve parsing errors.

Note

Only a user with Cortex Account Administrator or Instance Administrator permissions can access Parsing Rules.

To help you easily identify and resolve parsing errors in Cortex XSIAM, all parsing errors are saved to a separate dataset called parsing_rules_errors. This dataset displays important information about each error, including the RAW_LOG, log metadata, Parsing Rule metadata, and error description, which you need to effectively troubleshoot the problem. In addition, a Parsing Rules Error notification is sent to the Notification Center whenever a new parsing error is added to the dataset.

Types of Parsing Errors

There are different types of parsing errors.

  • Compilation Errors: Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex.

  • Data Format Errors: A mismatch between the expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV.

  • Runtime Errors: Unable to apply a rule to the data, such as an attempt to add a String to a Number.

Parsing Errors Dataset

All parsing errors and Cortex Data Model (XDM) errors are saved to a dataset called parsing_rules_errors. The following table describes the fields that are available when running a query in XQL Search for the parsing_rules_errors dataset in alphabetical order.

Note

Some errors can only be found after the applicable logs are collected in Cortex XSIAM.