AnsweredAssumed Answered

How do I modify a parser to map meta differently?

Question asked by Ben Taratoot on Jul 10, 2020
Latest reply on Jul 10, 2020 by Dave Glover

First, I'm a beginner with Netwitness so forgive me if my terminology is slightly off. I'm using the default ZScaler NSS parser from RSA. It has been working for some time. I just need to make a slight change. Currently the urlclass in the raw log is not mapped to any meta (as far as I can tell). The category meta currently shows its value equal to "none." I would like to map the urlclass in the raw ZScaler log to the category meta. I tried the instructions in the link below but it had no effect. Am I on the right track or did I change the wrong thing? Is there something else I need to change?

 

Log Parser Customize: Extend an Existing Log Parser 

Outcomes