Understanding Parsing
Also available as:

General Purpose Parsers

The general-purpose parser is primarily designed for lower-velocity topologies or for quickly setting up a temporary parser for a new telemetry.

General purpose parsers are defined using a config file, and you need not recompile the topology to change them. HCP supports two general purpose parsers: Grok and CSV.

Grok parser

The Grok parser class name (parserClassName) is org.apache.metron,parsers.GrokParser.

Grok has the following entries and predefined patterns for parserConfig:


The patch in HDFS (or in the Jar) to the Grok statement


The pattern label to use from the Grok statement


The field to use for timestamp


A list of fields to be treated as time


The date format to use to parse the time fields


The timezone to use. UTC is the default.

CSV Parser

The CSV parser class name (parserClassName) is org.apache.metron.parsers.csv.CSVParser

CSV has the following entries and predefined patterns for parserConfig:


The date format of the timestamp to use. If unspecified, the parser assumes the timestamp is starts at UNIX epoch.


A map of column names you wish to extract from the CSV to their offsets. For example, { 'name' : 1,'profession' : 3} would be a column map for extracting the 2nd and 4th columns from a CSV.


The column separator. The default value is ",".

JSON Map Parser

The JSON parser class name (parserClassName) is org.apache.metron.parsers.csv.JSONMapParser

JSON has the following entries and predefined patterns for parserConfig:


A strategy to indicate how to handle multi-dimensional Maps. This is one of:


Drop fields which contain maps


Unfold inner maps. So { "foo" : { "bar" : 1} } would turn into {"foo.bar" : 1}


Allow multidimensional maps


Throw an error when a multidimensional map is encountered


This field is expected to exist and, if it does not, then current time is inserted.

If this JSON query string is present, the result of the query will be a list of messages. This is useful if you have a JSON document that contains a list or array of messages embedded in it, and you do not have another means of splitting the message.