We have a troublesome log source that we’re trying to parse using the custom parser. The log source would require us to use the ‘create a filter’ feature and filter based on several strings. After reviewing the documentation (Create Custom Parsing Rules | InsightIDR Documentation) and my experience, it seems that you can only filter based on one string; using an AND operator does not work and is includes the ‘AND’ in the filter.
My question is: Is there a way to use the ‘create a filter’ feature to search based on multiple strings, similar to using the Log Search within IDR.
No this is not possible, what is it that you are trying to custom parse that is proving to be too difficult? Another way to filter the logs to at least get examples of the events to build the parser, is to leverage the time picker to really hone in on the time when at least 10 events occurred that match the logs you are looking to parse
We have almost 20 different custom log sources in our IDR environment. This is the first time I’ve seen a parser needing multiple strings. If I need to filter out multiple conditions, use REGEX and build the query in REGEX. All of my custom parsing rules are built that way and it’s far more consistent and reliable than the highlight method.
