-
Notifications
You must be signed in to change notification settings - Fork 3k
/
vimWebSessionTemplate.yaml
72 lines (72 loc) · 2.16 KB
/
vimWebSessionTemplate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Parser:
Title: Web Session ASIM filtering parser for <product name>
Version: '<parser version>'
LastUpdated: <MMM DD, YYYY>
Product:
Name: <product name>
Normalization:
Schema: WebSession
Version: '<current schema version>'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
Description: |
This ASIM filtering parser supports filtering and normalizing <product name> logs to the ASIM Web Session normalized schema.
ParserName: <parser function name>
EquivalentBuiltInParser: <_Im_WebSession_Product>
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: ipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: url_has_any
Type: dynamic
Default: dynamic([])
- Name: httpuseragent_has_any
Type: dynamic
Default: dynamic([])
- Name: eventresultdetails_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser = (
starttime:datetime = datetime(null)
, endtime:datetime = datetime(null)
, srcipaddr_has_any_prefix:dynamic = dynamic([])
, ipaddr_has_any_prefix:dynamic = dynamic([])
, url_has_any:dynamic = dynamic([])
, httpuseragent_has_any:dynamic = dynamic([])
, eventresultdetails_in:dynamic = dynamic([])
, eventresult:string = '*'
, disabled:bool = false
)
{
<parser query body>
};
parser (
starttime = starttime
, endtime = endtime
, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix
, ipaddr_has_any_prefix = ipaddr_has_any_prefix
, url_has_any = url_has_any
, httpuseragent_has_any = httpuseragent_has_any
, eventresultdetails_in = eventresultdetails_in
, eventresult = eventresult
, disabled = disabled
)