Parser Inbuilt Functions

The following parser inbuilt functions are available:

• Combining Two or More Strings to Produce a Final String

• Normalize MAC Address

• Compare Interface Security Level

• Convert Hex Number to Decimal Number

• Convert TCP/UDP Protocol String to Port Number

• Convert Protocol String to Number

• Convert Decimal IP to String

• Convert Host Name to IP

• Add Two Numbers

• Divide Two Numbers

• Scale

• Calculate Micro Seconds

• Extract Host from FQDN

• Replace String by Regular Expression

• Replace String in String

• Resolve DNS Name

• Shift Time Sec

• To DateTime

• Trim Attribute

• Get Severity from Syslog Priority

• To Unix Time (with Time Zone)

• Decode Base64

• Unzip String

• Calculate Latency

Combining Two or More Strings to Produce a Final String

This is accomplished by the combineMsgId function.

<setEventAttribute attr="eventType">combineMsgId("string-", $_evIdPrefix, "-", $_evIdSuffix)</setEventAttribute>
_evIdPrefix: prefix
_evIdSuffix: suffix
eventType: string-prefix-suffix

Strings can only be wrapped by double quotes " but not single quotes '.

Normalize MAC Address

This is accomplished by the normalizeMAC function.

<setEventAttribute attr="hostMACAddr">normalizeMAC($_mac)</setEventAttribute>

Compare Interface Security Level

This is accomplished by the compIntfSecVal function.

<setEventAttribute attr="_result">compIntfSecVal($srcIntf, $destIntf)</setEventAttribute>

Compare the Security Level of srcIntf and destIntf. The result may be "LESS", "GREATER" or "EQUAL".

Convert Hex Number to Decimal Number

This is accomplished by the convertHexStrToInt function.

<setEventAttribute attr="ipConnId">convertHexStrToInt($_ipConnId)</setEventAttribute>

Convert TCP/UDP Protocol String to Port Number

This is accomplished by the following convertStrToIntIpPort function.

<setEventAttribute attr="destIpPort">convertStrToIntIpPort($_dport)</setEventAttribute>

Convert Protocol String to Number

This is accomplished by the following convertStrToIntIpProto function.

<setEventAttribute attr="ipProto">convertStrToIntIpProto($_proStr)</setEventAttribute>

Convert Decimal IP to String

This is accomplished by the following convertIpDecimalToStr function.

<setEventAttribute attr="srcIpAddr">convertIpDecimalToStr($_srcIpAddr)</setEventAttribute>

Convert Host Name to IP

This is accomplished by the following convertHostNameToIp function.

<setEventAttribute attr="srcIpAddr">convertHostNameToIp($_saddr)</setEventAttribute>

Add Two Numbers

This is accomplished by the following add function.

<setEventAttribute attr="totBytes">add($sentBytes, $recvBytes)</setEventAttribute>

Divide Two Numbers

This is accomplished by the following divide function.

<setEventAttribute attr="memUtil">divide($_usedMem, $_totalMem)</setEventAttribute>

Scale

This is accomplished by the following scale function.

<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>

Calculate Micro Seconds

This is accomplished by the following calculateMSec function.

<setEventAttribute attr="durationMSec">calculateMSec($_duration)</setEventAttribute>
_duration: 00:00:15
durationMSec: 15000

Extract Host from FQDN

This is accomplished by the following extractHostFromFQDN function.

<setEventAttribute attr="hostName">extractHostFromFQDN($_fqdn)</setEventAttribute>
_fqdn: host.abc.net
hostName: host

If _fqdn contains dot, get the string before the first dot; otherwise, get the whole string.

Replace String by Regular Expression

This is accomplished by the following replaceStringByRegex function.

<setEventAttribute attr="eventType">replaceStringByRegex($_eventType, "\s+", "_")</setEventAttribute>
_eventType: Event Type
eventType: Event_Type

Replace String in String

This is accomplished by the following replaceStrInStr function.

<setEventAttribute attr="computer">replaceStrInStr($_computer, "\\", "")</setEventAttribute>

Resolve DNS Name

This is accomplished by the following resolveDNSName function.

<setEventAttribute attr="destIpAddr">resolveDNSName($destName)</setEventAttribute>

Shift Time Sec

This is accomplished by the following shiftTimeSec function.

<setEventAttribute attr="logonTime">shiftTimeSec($_mon, $_day, $_year, $_time, $_durationSec)</setEventAttribute>
_mon: 1
_day: 1
_year: 2000
_time: 01:00:10
_durationSec: 10
logonTime: 01:00:00 01/01/2000

To DateTime

This is accomplished by the following toDateTime function.

<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)
</setEventAttribute>

Trim Attribute

This is accomplished by the following trimAttribute function.

<setEventAttribute attr="destName">trimAttribute($destName, ".")
</setEventAttribute>

Trim leading and trailing dots in destName.

Get Severity from Syslog Priority

This is accomplished by the following getEventSeverityFromSyslogPriority function.

<setEventAttribute attr="eventSeverity">getEventSeverityFromSyslogPriority($_pri)</setEventAttribute>
_pri: 52
eventSeverity: 5

Set severity by syslog priority. The bottom 3 bits of the priority indicates the severity.

http://en.wikipedia.org/wiki/Syslog

To Unix Time (with Time Zone)

This is accomplished by the following toUnixTime function.

<setEventAttribute attr="deviceTime">toUnixTime($_deviceTime)</setEventAttribute>
_deviceTime: 20130509073221.932817-000

Decode Base64

This is accomplished by the following decodeBase64 function.

<setEventAttribute attr="httpFullRequest">decodeBase64($_msg)</setEventAttribute>

Unzip String

This is accomplished by the following unzip function.

<setEventAttribute attr="msg">unzip($_msg)</setEventAttribute>

Calculate Latency

This is accomplished by the following calculateLatency function.

<setEventAttribute attr="_latency">calculateLatency($_evtRecvTime, $deviceTime)</setEventAttribute>

Calculate the latency. If _evtRecvTime is later than deviceTime, return the latency in seconds. Otherwise, return 0.