Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Custom Properties

 

Use the Custom Extracted Properties function in JSA to expand normalized fields by adding custom fields for reports, searches, and the custom rules engine (CRE).

To extract proxy URLs, virus names, or secondary user names, review the following information:

  • Restrict your Custom Extracted Properties to a particular log source type or individual log source.

  • If your extracted property is applicable to only certain events, reduce the workload on JSA by limiting the extracted property to that event type.

  • To allow the custom property to be used by rules, forwarding profiles and search indexes, ensure that the Parse in advance for rules, reports and searches check box is selected. When this check box is selected, the property is extracted immediately during the parsing stage of the event pipeline, rather than at search time, which is the default. When the value is extracted ahead of time, searches that use the property as part of their criteria run faster. Extracting the value ahead of time puts extra load on the parsing stage of the event pipeline, so you should select this check box only for properties that must be used in rules, forwarding profiles, or large or frequently run searches.

  • The extracted property field is not indexed. However, when an event matches the property, it stores an index to the offset and length of the property, which reduces the amount of data that is searched.