If you have events that are imported into IBM® Security QRadar® Log Insights, you can select the events on which you want to
base your custom data source type and send them directly to
the Data Parser.
Procedure
-
Click the Data Explorer tab.
-
Pause the incoming results and then highlight one or more events.
Important: You can select only a single data source type, and only the events that match the selected
data source type are automatically added to the
workspace.
-
Open the Data Parser and choose one of the following
options:
- If you are parsing known events, select your data source type from the list.
- If you are parsing stored events, click Create New. Enter a name for
your data source type in the Data Source Type
Name field and click Save.
- In the Properties tab, select the property that you want to
override and click Edit. If the property is not listed, select a new property
from the list of system properties.
- Enable the Override toggle.