Limiting parsing to logs based on application, subsystem, or severity

In IBM® Cloud Logs, you can use the Severity Rules to limit the logs that will be affected by other parsing rules based on the on the application, subsystem, or severity of the log.

Before you begin

Parsing rules are organized inside Rule Groups. Each group has a name and a set of rules with a logical relationship between them. Logs are processed according to the order of rule group (from the beginning to the end). They are then processed by the order of rules within the rule group and according to the logical operators between them (AND/OR). Rules help you to process, parse, and restructure log data to prepare for monitoring and analysis. For more information, see Working with rule groups.

Using Severity Rules

By default, parsing rules includes a Severity Rule that matches logs of all severities, applications, and subsystems.

You can change the rule to limit the logs processed by the other rules you define in the group to only specific severity values, applications, or subsystems.

Configuring a Severity Rule

Complete the following steps to create a Severity Rule:

Click the Data pipeline icon > Parsing rules and click Severity Rules.
In the Details section, enter the Rule Group Name and the Rule Group Description. By default, the Rule Group Name is Severity Rules.
In the Rule Matcher section, configure the applications, subsystems, and severities that define the logs on which to apply the rules that are included in the rules group.
Open the Rules section. By default an Extract rule is provided to extract default severity values. Review this rule and modify for your environment if required.
Add additional rule groups by clicking Add Rule and selecting the desired rule type. Toggle AND/OR to select how you would like the additional rules processed.
Click Create Rule Group.

Rules can be made active or inactive using a switcher. Active rules will be evaluated against log data.