US Patent 11625366 System, method, and computer program for automatic parser creation

The present disclosure describes a system, method, and computer program for automatically creating a parser for a log group. A parser-creation system groups logs that do not satisfy conditions for an existing parser, enables a user to select a log group for parser creation, and automatically creates a parser for the selected log group. In creating a parser, the system extracts values and keys value pairs from the log group and identifies the corresponding normalized output fields and regular expressions for the values and key-value pairs. To identify normalized fields corresponding to values and key-value pairs, the system compares the values and key-value pairs to one or more knowledgebases that include: (1) regular expressions from existing parsers, (2) regular expressions for value types associated with normalized fields, and (3) a list of keys in key-value pairs associated with normalized fields. As the system learns new token-to-normalized fields relationships, the system adds the relationships to its knowledgebase.