Enable and Disable Parsers and Log Parsers

Administrators can see which parsers have been downloaded from Live and deployed on a Decoder or Log Decoder, see which of these have been enabled, and enable or disable parsers and log parsers.

The following figure illustrates commonly used settings on a Decoder. For a quick basic setup with only the required steps, see Decoder and Log Decoder Quick Setup.

netwitness_deccfgwf-cfgpars.png

You should only download and deploy the parsers you need for the following reasons:

  • There is an impact on performance as you increase the number of deployed parsers.
  • The more parsers you deploy, the more meta data created, which impacts data retention.
  • Not having extra (unnecessary) log parsers deployed reduces the potential for mis-identification of messages.

The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates. These are the options in the Parsers Configuration panel.

Option Description
Enable All
Disable All
These options provide a way to quickly select either all parsers or no parsers.
Name The names of parsers available to the Decoder. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create.
Config Value A drop-down list changes the setting for the parser or metadata to Enabled, Disabled, or Transient.
  • When Enabled, the Decoder is using the parser to filter traffic.
  • When Transient, the Decoder is using the parser to filter traffic, and the generated metadata is not stored on disk. The transient metadata is available in memory to additional content (that is, parsers, feeds, and application rules) on that Decoder. This helps administrators to protect certain data and is usually done as part of a data privacy plan (see the Data Privacy Management Guide).
  • When Disabled, the Decoder is not using the parser.
If the generated metadata for the parser is configurable, clicking the plus sign to expand the parser displays configurable meta keys and the same drop-down list selects the meta key the parser will create.

Note: For a Log Decoder, you must have previously deployed log parsers from Live. See the Find and Deploy Live Resources topic in the Live Services Management Guide for details. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

To enable or disable a parser, or to view the status for each parser:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Administration Services view, select a Log Decoder or a Decoder, and netwitness_ic-actns.png >View > Config.
  3. In the Parsers Configuration panel, look for the Decoder parser or the Log Decoder event source parser.
    netwitness_parcon30.png
  4. In the Config Value column, note the current status for your parser.

You can update the status of any individual parser by selecting its Config Value and selecting Disabled, Transient, or Enabled from the drop-down menu. Alternatively, you can select Enable All or Disable All to update the status for all of your log parsers at once.

  1. Click Apply.

When you click Apply, note that all parsers are reloaded into NetWitness. The status for each parser is updated, based on your selections.