Parse Operators

Parse operators allow you to extract fields from log messages within a query manually and on an ad-hoc basis.

For best practices use Parse operators to build Field Extraction Rules to automatically extract field values and use them to extend your query.

In this section, we will introduce the following concepts:

📄️ Parse Predictable Patterns Using an Anchor

The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions.

📄️ Parse Variable Patterns Using Regex

The Parse Regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. Parse regex can be used, for example, to extract nested fields.

📄️ Parse JSON Formatted Logs

The JSON operator allows you to extract values from JSON logs with most JSONPath expressions. See the supported JSONPath syntax elements below.

📄️ Parse Keyvalue Formatted Logs

Typically, log files contain information that follow a key-value pair structure. The keyvalue operator allows you to get values from a log message by specifying the key paired with each value.

📄️ Parse CSV Formatted Logs

The CSV operator allows you to parse CSV (Comma Separated Values) formatted log entries. It uses a comma as the default delimiter.

📄️ Parse Delimited Logs Using Split

The split operator allows you to split strings into multiple strings, and parse delimited log entries, such as space-delimited formats.

📄️ Parse XML Formatted Logs

The XML operator uses a subset of the XPath 1.0 specification to provide a way for you to parse fields from XML logs. Using it, you can specify what to parse from an XML log using an XPath reference.

📄️ Parse field option

Sumo Logic allows you to parse on previously extracted fields, or initial parsing on a metadata field value (collector, source, etc..) using the additional parse syntax of field.

📄️ Parse nodrop option

The nodrop option forces results to also include messages that don't match any segment of the parse expression.

📄️ parseDate

The parseDate operator extracts a date or time from a string and provides a timestamp in milliseconds. To convert an epoch timestamp in a human-readable format, use the formatDate operator.

📄️ parseHex

The parseHex operator allows you to convert a hexadecimal string of 16 or fewer characters to a number.