https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-at-broker-vm-level/m-p/587140#M6687 <P>I'm using COLLECT parsing rule to manipulate data at broker VM level before ingestion</P> <P>&nbsp;Rule basically filters out on raw log that I generate specific to my test like some log line that contains text criticalevent along with some date and random machine name.</P> <P>[Collect: vendor="unknown", product="unknown", target_broker=(mybroker), no_hit=drop]</P> <P>filter _raw_log contains "criticalevent"</P> <P>|alter a= someregex fn</P> <P>|alter b=someregex fn</P> <P>[Ingest:vendor="unknown", product="unknown", target_dataset="my_parsed_logs", no_hit=drop]</P> <P>fields a,b,c ..</P> <P>&nbsp;</P> <P>Now the resulting dataset gets all data and not the filtered data. If I put same filter condition inside ingest section then it works. But does that mean it happened at broker vm or at xdr side..</P> <P>&nbsp;</P> <P>Is there something missing her</P> <P>Coz, If I directly do Ingest without doing collect&nbsp; and directly into the same dataset then it gives desired result. But I don't think it happens at broker. Like for e.g.</P> <P>&nbsp;</P> <P>[Ingest:vendor="unknown", product="unknown", target_dataset="unknown_unknown_raw", no_hit=drop]</P> <P>Filter _raw_log contains "criticalevent"</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Am i missing something here in understanding it??</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 17 May 2024 16:13:05 GMT Fm12345 2024-05-17T16:13:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-at-broker-vm-level/m-p/587140#M6687 <P>I'm using COLLECT parsing rule to manipulate data at broker VM level before ingestion</P> <P>&nbsp;Rule basically filters out on raw log that I generate specific to my test like some log line that contains text criticalevent along with some date and random machine name.</P> <P>[Collect: vendor="unknown", product="unknown", target_broker=(mybroker), no_hit=drop]</P> <P>filter _raw_log contains "criticalevent"</P> <P>|alter a= someregex fn</P> <P>|alter b=someregex fn</P> <P>[Ingest:vendor="unknown", product="unknown", target_dataset="my_parsed_logs", no_hit=drop]</P> <P>fields a,b,c ..</P> <P>&nbsp;</P> <P>Now the resulting dataset gets all data and not the filtered data. If I put same filter condition inside ingest section then it works. But does that mean it happened at broker vm or at xdr side..</P> <P>&nbsp;</P> <P>Is there something missing her</P> <P>Coz, If I directly do Ingest without doing collect&nbsp; and directly into the same dataset then it gives desired result. But I don't think it happens at broker. Like for e.g.</P> <P>&nbsp;</P> <P>[Ingest:vendor="unknown", product="unknown", target_dataset="unknown_unknown_raw", no_hit=drop]</P> <P>Filter _raw_log contains "criticalevent"</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Am i missing something here in understanding it??</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 17 May 2024 16:13:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-at-broker-vm-level/m-p/587140#M6687 Fm12345 2024-05-17T16:13:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-at-broker-vm-level/m-p/587991#M6736 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1372551263">@Fm12345</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for reaching out on Live community.</P> <P>&nbsp;</P> <P>Would like to clarify few things first of all.</P> <P>Ingest:&nbsp;<SPAN>An&nbsp;</SPAN><STRONG class="userinput"><CODE class="hljs language-undefined">INGEST</CODE></STRONG><SPAN>&nbsp;section is used to define the resulting dataset.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/INGEST" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/INGEST</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Collect:&nbsp;A&nbsp;<STRONG class="userinput"><CODE class="hljs language-sql"><SPAN class="hljs-keyword">COLLECT</SPAN></CODE></STRONG>&nbsp;section defines a rule that enables data reduction and data manipulation at the Broker VM to help avoid sending unnecessary data to the&nbsp;<SPAN class="phrase">Cortex XDR</SPAN>&nbsp;server and reduces traffic, storage, and computing costs.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/COLLECT" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/COLLECT</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is the sample which you can refer and correct your query as per the need.</SPAN></P> <P><SPAN>[COLLECT:vendor="Apache", product="ApacheServer", target_brokers = (bvm1, bvm2, bvm3), no_hit = drop]<BR />alter source_log = json_extract_scalar(_raw_log, "$.source") <BR />| filter source_log = "WebApp-Logs"<BR />| fields source_log, _raw_log;<BR />[INGEST:vendor="Apache", product="ApacheServer", target_dataset = "dvwa_application_log"]<BR />alter log_timestamp = json_extract_scalar(_raw_log, "$.timestamp")<BR />| alter log_msg = json_extract_scalar(_raw_log, "$.msg")<BR />| alter log_remote_ip = json_extract_scalar(_raw_log, "$.Remote_IP")<BR />| alter scanned_ip = json_extract_scalar(_raw_log, "$.Scanned_IP")<BR />| fields log_msg ,log_remote_ip ,log_timestamp ,source_log ,scanned_ip , _raw_log;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Incase any further assistance is required, please feel free to reach out.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> Mon, 27 May 2024 08:13:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/parsing-at-broker-vm-level/m-p/587991#M6736 aspatil 2024-05-27T08:13:55Z