Name Value Pair matcher (namevaluepair-matcher)
A Name Value Pair-matcher (namevaluepair-matcher) entity is a field that is parsed and is paired with the appropriate pattern of type 'NameValuePairKey' for parsing. This entity is new in IBM® QRadar® V7.3.3.
If multiple matchers are specified for the same field name, the matchers are run in the order that is presented until a successful parse is found.
Parameter | Description |
---|---|
|
The field to which you want the pattern to apply; for example, EventName or SourceIp. You can use any of the field names that are listed in the Table 2. |
|
The pattern that you want to use when the field is parsed from the payload. This value must match (including case) the ID parameter of an already defined pattern. (Table 1) |
|
The order that you want this pattern to attempt among matchers that are assigned to the same field. If two matchers are assigned to the EventName field, the one with the lowest order is attempted first. The regular regex, JSON, LEEF, and CEF matchers are combined into one list. The different types of matchers are attempted based on their orders, and the process stops when one of the matchers is able to parse out data from the payload. |
|
Boolean When set to Default is false. |
|
An extra-data parameter that defines any extra field information or formatting that a matcher field can provide in the extension. The only field that currently uses this parameter is DeviceTime. For example, you might have a device that sends events by using a unique time stamp, but you want the event to be reformatted to a standard device time. Use the ext-data parameter included with the DeviceTime field to reformat the date and time stamp of the event. For more information, see the Table 2. |
|
The delimiter between each value in a NameValuePair payload. |
|
The delimiter between the name and value in each pair. |
Example
In the following example, the delimiter-pair is a comma (,) and the delimiter-namevalue is an equal sign (=).
key1=value1,key2=value2,key3=value3